22

Assuming that I currently have a newly created project based on Visual Studio 2015 "WebApp" template with Individual Accounts authentication, I use Microsoft.AspNet.Authentication package and I can't always rely on cookies, because my web API should also target mobile apps:

How can I add authentication to my web API? I'm especially interested in token based authentication.

Improve this question
3
  • 4
    you don't keep Authenticated Data in the browser you keep a Session variable that would be Session["IsAuthenticated"] and it would be true or false depending if the user/password passes logic / login or not.. this is extremely easy actually..tons of examples lookup PrincipalContext Class also there are ways to do this validating against sql server etc.. Commented Dec 14, 2015 at 21:07
  • 3
    ASP.NET Web API and MVC have merged in MVC 6. I think you'll find you can use whatever MVC is using, but obviously with Web API you're dealing with calls to endpoints rather than a prebuilt UI. Commented Dec 14, 2015 at 21:52
  • 2
    If you can't find any valuable information, then you're certainly looking at the wrong place. F.e.: Google leads me to this page whitin 5 seconds: asp.net/web-api/overview/security/… Commented Dec 29, 2015 at 9:46

3 Answers 3

Reset to default
4
+25

You can use basic http authentication or implement a similar one with a token or ticket passed through http headers.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

But does this Library that I use provides some way to generate those tokens? Do I have to develop and store those tokens by myself or is it already done?
3

Implement custom AuthorizeAttribute in your web api project. In IsAuthorized(HttpActionContext actionContext) overload you can check the authorization scheme and authorization header and then you can connect to your sessions provider and check if the user has an active session. You must pass the login token in the authorization header, so if the token is missing that means there is no active user. So when you login you must create and encrypt the token on successful login. Then pass this token with each request to the server.
This blog contains more information about using AuthorizeAttribute: http://weblogs.asp.net/jongalloway/asp-net-mvc-authentication-customizing-authentication-and-authorization-the-right-way

Improve this answer

Comments

3

You can make separate table in db for storing authentication detail (AuthKey, UserID, CreatedDate, ExpiredDate, IsExpired) and make functions like CheckAuthorizationKey(string authKey), ExtendAuthorization(string authKey), ExpireAuthorization(string authKey){}

and call that functions for checking the authorization as below sample code.

public ServiceResult<LoginModel> Login(string auth_key)
 {
            var service = new ServiceResult<LoginModel>();
            LoginModel user = new LoginModel();
            if (AuthKey.CheckAuthorizationKey(auth_key) == false)
            {
                service.message = TemplateCodes.GetMessage(TemplateCodes.UnAuthorize, null, db);
                service.status = ServiceStatus.authorization_failed;
                return service;
            }
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.