1

I'm confused on how the Web API implements the authentication?

I have gone through the links 1.

  1. Link1

  2. Link2

and need to summarize what I understood.

  1. Owin katana is a mechanism that can be implemented for authorization.

  2. There will be Iprincipal which can be created either in the host or in the httpmodule which will be attached to the currentthread to validate.

  3. Token based authentication implements owin.

I have very little idea about the authentication mechanism in web api. If someone can help me to understand this, It would be great.

I have the following doubts.

  1. Owin is a new way of authentication in MVC? or its already exists as a part of windows and form based authentication?
  2. If I wrote a module to authenticate what are the different ways I can use to authenticate an api method/controller?
Improve this question

1 Answer 1

Reset to default
1

The answer to your question could be quite big, I will try to give you some guidelines:

Katana is Microsoft's implementation of the OWIN standard

https://learn.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/getting-started-with-owin-and-katana

Token based authorization is supported by OWIN and , therefore, by Katana. There are two very usual ways to implement this token authorization, you can use Windows Authorization

https://learn.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/enabling-windows-authentication-in-katana

or you can use a more standard and recommendable way using OAuth:

https://learn.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server

With ASP.net (netfx, not core), you use attributes on controller level to provide the metadata necessary to implement the authorization and authentication.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks for your detailed explanation. Form authentication is fall under token based authentication in Web API?
When using OAuth, the Authentication on the form is managed by the Authentication Server. This server, once the client is succesfully identified, send the client a token. The client send the token to your API and the API has to validate it. With ASP.net you merely need to apply some attributes to the Controllers to configure the authentication (the claims)
Here you can find some additional info: stackoverflow.com/questions/22516747/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.