RESTFul Authentication with WebAPI

authentication asp.net-web-api single-page-application
10,754

Solution 1

JavaScript clients are unique. Do you have the Web API and the page serving up JavaScript in the same domain? If not, you have same origin policy restrictions. If you have the same Web application hosting the web pages and Web API, you can use forms Authn. In that case, you don't need to send the cookie containing the authentication ticket yourself from JavaScript. Browsers do that for you and that is the cause of XSRF problem. You have to be careful about JavaScript sending credentials that the end user is not supposed to know. If JavaScript knows something, any intelligent end user can get to that knowledge. OAuth 2.0 implicit grant could be a good choice. The end user enters the credentials (password) in the authorization server which issues an access token. JavaScript gets the token and presents it to the web API but it will never have access to the credentials.

Solution 2

Basically you need a token based authentication or authorization. If you are referring to the ASP.NET WebAPI, the following project will be a great place to start: http://thinktecture.github.com/Thinktecture.IdentityModel.45/

Even if you are not using ASP.NET WebAPI, the following video is a great introduction on how to provide authentication/authorization on RESTful web services: http://vimeo.com/43603474

To answer some of your questions:

Check to see if the user is logged in: How can this be done with javascript? Do I send a cookie to my webAPI? If so, do I send that cookie as a parameter in the body of the request?

You can use a cookie but I normally use the header in order to avoid common XSRF attacks. Cookies are automatically included whenever a http request is sent from the browser.

is this where SSL comes in?

Yes. If you are going to go ahead with the token based approach, you can use a separate server (Identity Server) to do the authentication for you.

Share:
10,754

Related videos on Youtube

SB2055
Author by

SB2055

Updated on September 14, 2022

Comments

  • SB2055
    SB2055 over 1 year

    I have a web service built with WebAPI that accepts JSON requests and responds accordingly. The core architecture is built but there isn't any authentication/authorization.

    After a lot of googling and poking around sample projects, I'm not sure where to start. I've found a ton of material from 2008 and 2009 but not a whole lot of recent guides/workflows for WebAPI / single page apps. I think the workflow should be as follows:

    1. Check to see if the user is logged in: How can this be done with javascript? Do I send a cookie to my webAPI? If so, do I send that cookie as a parameter in the body of the request?

    2. Let the user log in / register: How is this data encrypted/decrypted? Surely I can't be sending passwords over the wire... is this where SSL comes in?

    3. Provide them with access to what they have rights to access: I think I got this - I can just authorize in the controllers on a per-request basis.

    Any info would be awesome.

  • Snixtor
    Snixtor about 11 years
    @EvanLarsen Forms Authentication is token based.
  • SB2055
    SB2055 about 11 years
    Thanks Badri. The JS client is in a different domain - the client and API are decoupled. That said, what are your thoughts on Basic Authentication + SSL?
  • Badri
    Badri about 11 years
    JavaScript client (browser) + Basic Authn even over SSL is susceptible to XSRF. You can use something like Thinktecture identity server for issuing tokens over OAuth 2.0 implicit grant. JavaScript client can request for an access token this way and present it to the web API in bearer scheme. That will be my #1 choice. You can use Basic Authn but then you must make all GET requests to your API nullipotent and probably safeguard other methods someway like how they implemented anti-forgery tokens for MVC. My book covers this option.
  • SB2055
    SB2055 about 11 years
    Thanks so much for the quick response. Your book just landed on my doorstep - I'm looking forward to digging into it.
  • bbqchickenrobot
    bbqchickenrobot over 10 years
    Woudl forms auth work w/ mobile devices - i.e. - android/iphone/ipad?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Prevent untrusted clients to use login/register endpoints of REST API
How to implement two factor auth in Web API 2 using ASP.NET identity?
unable to authenticate using basic authentication
Secure Web API with Form Authentication (Authorize) and Basic Authentication (Message Handler) together
Web API Bearer tokens - can I use custom tokens?
OWIN and Forms Authentication with WEB API 2 with SPA
ASP.NET WebAPI Basic Authentication always fails as 401/Unauthorized
How use AuthorizationFilterAttribute in WebApi with WebClient Library?
Authorization has been denied for this request. Always
How to pass Windows Authentication credential from client to Web API service