Login/Register
Token authentication and authorisation for a self-hosted ASP.NET Web API 2 REST service
Asked Answered
Solved asp.netauthenticationauthorizationasp.net-web-api2self-hosting
J

1

5

I'm using VS2013 and Web API 2 to create a self-hosted (using OWIN), RESTful service over SSL using token authentication. Although I'm not a novice developer, this is my first time looking at ASP.NET technologies, so please keep that in mind.

I've got everything more-or-less working except for the authentication and authorisation parts. I fully understand the difference of authenticating a user (who is this user?) and authorising an already authenticated user to access a resource (can this user access this particular resource?).

A very simple overview of my auth process is as follows (makes some assumptions for brevity):

  1. An unknown client connects to the API, e.g. GET api/values.
  2. The server responds with a 401 and this response header: "WWW-Authenticate: Token".
  3. Upon seeing this, the unknown client knows to connect to a different API endpoint here: POST api/auth (routed to the Login function), supplying the username and password.
  4. The server will try to figure out if this is a valid user and can accept or reject the user depending on the validity of the credentials.
  5. (Rejected) The server returns an error status code (403?). End of process.
  6. (Accepted) The server creates a random token (e.g. a GUID) and stores it against the user record. Then it sends the token to the client.
  7. The now authenticated client reconnects to the API, GET api/values, and this time also supplies the token.
  8. The user returns the resource data to the client.
  9. ...
  10. The user can log out by connecting to the same API as he used to log in: POST api/auth (this time, his request will be routed to the Logout function). This will remove the token from the server and the client will also have to remove its own token.

As you can see, this is a relatively simple process, but I can't find any concrete and simple examples to understand how best to achieve this with a self-hosted Web API 2.

I don't need to register users or do any password/roles management, etc. and there is no external authentication. All valid users have the same rights to access the resources and they're already created in the system by a separate process over which I have no control (I can only read their credentials for validation). Most examples I found are talking about security frameworks that I don't need, so I've ruled out using any of the following: Basic Authentication, Windows Authentication, Forms Authentication, Individual Accounts, ASP.NET Membership/Identity, OAuth, Thinktecture or any other security framework.

I've read articles about authenticating in a message handler and others about authentication in a custom Authorize attribute filter, while others even suggest I should use the new (in Web API 2) IAuthenticateFilter attribute. This is very confusing. Can you please advise on a very simple way to achieve my auth objectives? Any specific code examples will be greatly appreciated, even if they're just skeleton implementation or pseudocode. I just need some ideas to get me started.

Jemina answered 14/5, 2014 at 13:36 Comment(2)
Following an established framework that uses one of enterprise protocols has great advantages - you can in future easily integrate with other services/providers/companies. Just say to them "my service uses oauth2 token authentication" or "we use ws-trust and ws-federation". On the other hand, a custom security protocol could be considered as a potential issue, from security or business point of view. I suggest then reading and following this: apress.com/microsoft/asp-net/9781430257820Pakistan
Thank you for replying, Wiktor. The book you mentioned is actually already on order! I'll be writing both the server and the (mobile) clients and I'll be reusing code written by someone else to create tokens, hashes, etc. that has been statically verified by Veracode scans over a number of years. My resulting code will also be scanned in this way, so hopefully it will catch any obvious errors. It's true that "rolling my own" isn't always a good idea but, since I don't need to manage accounts or connect to external auth providers, I'm hoping that the potential problems might be minimised.Jemina
J
10

After a lot of googling, I found this article on CodeProject: http://www.codeproject.com/Articles/630986/Cross-Platform-Authentication-With-ASP-NET-Web-API. While this is not Web API 2 or self-hosted, it has given me a number of ideas on how to proceed.

Someone also posted a comment to that CodeProject article referencing a NuGet package that may interest anyone looking for something similar: https://www.nuget.org/packages/WebApiTokenAuth. In my case, it is a bit much.

Finally, in addition to the authentication options mentioned in the question, there's also the option to write an OWIN middleware to do authentication if self-hosting using OWIN (as per the official MS recommendation). However, I plan to implement this particular form of token authentication with a message handler, as there's more support for this method available than for writing OWIN middleware.

Jemina answered 16/5, 2014 at 13:47 Comment(1)
I faced the same problem, and from what I see there's no unified way to handle authentication & authorization in Web API 2. The decision mostly depends on personal preference and project requirements.Citizenship

© 2022 - 2024 — McMap. All rights reserved.