Reputation: 715
ASP.NET Core MVC/WebAPI Authentication Schemes plus Anonymous
I'm having an issue with a website plus API I'm writing. These are in the same project, if that matters.
Reduced to its simplest form, it's a catalogue website and API. You have products in a database and pages which display product information. You also have other pages which allow editing this information and adding new products, etc.
There are three ways you can do this:
- Anonymous users can list products and view public information about them on the website.
- Signed-in users can list, view (including private info), edit, create and delete products on the website.
- Users with a valid API key can list, view (including private info), edit, create and delete products using the API.
The problem I'm having is that the website uses AJAX calls to the API, and these only work if the user of the website is authenticated. Calling the API without an authentication cookie or an API key fails by design.
What would be the recommended way of identifying the unauthenticated website to the back-end API in a secure way that allows it to work?
The ideas I've had include:
A special API key for the website, but it would by necessity be visible to the world at large somewhere in the Javascript code and therefore something someone could use to access the API themselves and bypass any rate limiting I wanted to implement.
I considered setting something in the session on the web controllers which could then be verified in the API controllers, but I encountered issues where unauthenticated calls to the API redirect to the login page on the Account controller, which then sets the relevant session variable, which means subsequent API calls succeed whether legitimately authenticated or not. This seems like the most promising option, but I'm not familiar enough with ASP.NET Core's workings to make it robust.
Upvotes: 0
Views: 110
Answers (1)
Reputation: 879
You should use Jason Web Token Authentication, to implement one in your API please check the following the link:
By using JWT authentication in the pipe line of your WebApi your problem will be solved.
Also, you can use a ASP.NET Core identity system for things like roles that can be implemented on specific controller methods, for example, "EDIT" can be allowed only to role admin, etc.
Kind regards, .js
Upvotes: 1
Related Questions
- .NET Core MVC and Web API two authentication schemes
- Authorize with both ASP.NET core MVC/Razor site AND a WebAPI
- Authorization WebAPI behaving like MVC
- Auth0 with .Net Core ASP MVC to WebAPI Authentication
- Authentication with Asp.net MVC 6 and Web Api
- Authentication In MVC & WebAPI Website
- MVC to WebAPI authentication for the same application
- MVC 4.0 WebApi Application and Mixed Authentication
- .NET WebApi Authentication
- Authentication for ASP.Net MVC 4 and WebApi