0

what is the best way to limit access to a webapi 2 controller within a MVC project to only the hosted App Service?

I have created a endpoint which my MVC client is accessing. The entire application is published to azure through an app service. How can I now protect the endpoint from being called outside of the application context?

Improve this question
6
  • You want to only allow HTTP calls from specific IP addresses? Commented Dec 6, 2017 at 21:58
  • Sounds like a design problem. Are you sure a Web API was what you wanted? Commented Dec 6, 2017 at 22:18
  • It is the standard MVC project created through Visual Studio. I didn't want to use Razorpages but use the Web API and Javascript to make calls to it. However I'd like to keep things simple and just ensure that requests are only processed from my page. Commented Dec 7, 2017 at 12:49
  • If you have a UI and you want nothing else running the code, why not handle it in a controller and not use Web API. An API is to allow other applications to interface with yours, but that is explicitly what you have said you do not want. Commented Dec 7, 2017 at 20:06
  • so I get you right, you have a Web API that is being accessed by an MVC client and both of these are hosted in an App Service. You only want the MVC client to have access to the API ? Commented Dec 8, 2017 at 12:37

2 Answers 2

Reset to default
1

Based on your comments you should consider restructuring your solution.

  • Consider moving your Web API to an independent project. This way your API is decoupled from your MVC app and you can deploy and scale it,if required, independently.
  • Move the MVC client app in it's own independent project
  • For authentication I would consider implementing an authorization server (again in an independent project) that issues tokens to the client (in your case the MVC app) and the client would then access the API using this token. For implementing an auth server you have a couple of options
    • Use the ClientCredentials grant using IdentityServer4
    • Use the OWIN OAuth middleware to implement your auth server with ClientCredentials grant
    • There are other Oauth implementations that you could use too.

Having a dedicated authorization server clearly separates out the identity responsibility allowing you to control access for other future clients and possibly restrict access to only certain endpoints (aka scopes).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You could use an API key in the request's header to filter out unwanted request. 1. Implement a customer authorization attribute (AuthorizationFilter) class.

    [HttpPost, AuthorizationFilter]
    public CustomerInfo GetCustomerInfo(CustomerInfoRequest request)
    {
        return Business.GetCustomerInfo(request);
    }

2. In your controller class 

    public override void OnAuthorization(HttpActionContext ctx)
    {            
        if (!VerifyHeaders(ctx))
        {
            ctx.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
            return;
        }

        base.OnAuthorization(ctx);
    }

    private bool VerifyHeaders(HttpActionContext ctx)
    {
        IEnumerable<string> values = new List<string>();

        //Read the API key from the request header
        ctx.Request.Headers.TryGetValues("ApiKey", out values);
        var apiKey = values?.FirstOrDefault();        

        return CheckApiKey(apiKey);
    }

    private bool CheckApiKey(string apiKey)
    {
        //Verification is done here
        return true;
    }
  1. The request should contain API key which will be verified by "OnAuthorization" method.

enter image description here

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.