4

I'm trying to secure my MVC4 Web Api. Actually, I just really need an identity provider with some light security. My service is similar to twitter, from a security standpoint, there's not a lot of private data, but the service does need to know the userid for the caller.

It's also important to know that the web service will only be consumed by mobile devices right now, although a website may accompany it at some future point.

S.O. and the internet have led me to Thinktecture.IdentityModel, but man it seems complex and I can find exactly zero documentation or samples. I also haven't yet had a pleasant experience with claims-based authentication. I don't have a claims server, token provider, or anything like that, and it seems like you would need that to use this method. This all seems far to heavy for my situation.

I've also read about people implementing their own HMAC solution (https://github.com/cuongle/WebAPI.Hmac) or using OAuth (https://github.com/maksymilian-majer/DevDefined.OAuth) but these also seem a bit complex (I've read that OAuth without the helper class is enough to make the best developers cry, and I'm not the best). Janrain looks like it might work, but it looks like you have to pay for more than 2,500 authenticated users per year ...

What is the best way to implement a simple identity provider and security for Web Api?

Thanks!

Andrew B Schultz
  • 1,512
  • 1
  • 23
  • 41

3 Answers3

4

I have attempted to answer a similar question to this before Create an OAuth 2.0 service provider using DotNetOpenAuth where I highlighted the Thinkecture Identity Server. The Setup instructions not too difficult (IMHO) The installation video is here and should help a lot.

I have updated my older answer with this too but there is also a fairly lightweight O-Auth 2.0 implementation example here Sample code here http://code.google.com/p/codesmith/downloads/detail?name=OAuth2.zip&can=2&q=#makechanges

Have you also read this well articulated question here Authenticating requests from mobile (iPhone) app to ASP.Net Web API (Feedback requested on my design)

Community
  • 1
  • 1
Mark Jones
  • 12,156
  • 2
  • 50
  • 62
  • Thanks Mark - that was me that just +1'ed your answer last night before writing this. I'll check out the lightweight OAuth example. Sample code is what I need more than anything, since I've never written my own security before :). – Andrew B Schultz Oct 19 '12 at 01:37
  • Thanks Mark - looks like this OAuth2 for MVC will do the trick for me. I'm trying to get it to work with Web Api, but having a few issues (OAuthServiceBase.Instance.RequestToken() throws a NULL rererence exception), but I hope to find the answers on other SO posts. – Andrew B Schultz Oct 24 '12 at 01:49
  • Mark, I just opened another question about this OAuth 2.0 for MVC project. Do you know the answer? It's about getting the HttpRequest extension methods in the project to work in Web Api. http://stackoverflow.com/questions/13060530/getting-httprequest-extension-method-written-for-mvc-to-work-in-web-api – Andrew B Schultz Oct 25 '12 at 02:17
1

Well, security is hard :)

As for Thinktecture.IdentityModel -- this is a token processing library (among other things) that you'd use in your WebAPI application. You'd use this so you don't need to do the logic to accept tokens (basic auth, SAML, SWT, JWT). Claims are just a side-effect.

If you're looking for an identity provider, then the sister open source project Thinktecture.IdentityServer is in beta for version 2. It's an identity provider that supports a custom database and issues tokens. The project URL is:

http://thinktecture.github.com/Thinktecture.IdentityServer.v2/

Brock Allen
  • 7,385
  • 19
  • 24
  • Yes, I've noticed that it's hard :). Thanks for the guidance. You're one of the partners on the Thinktecture project, aren't you? It looks great; it's hard to find documentation though, and this makes me afraid that there many more steps than what I'm looking for ... my scenario requires security, but there's not a lot of secure data. You just want to make sure nobody is hacking another person's account to log in as him. – Andrew B Schultz Oct 19 '12 at 01:33
1

In response to the problem of finding example code as documentation, consider the samples folder in the Thinktecture github repo: https://github.com/thinktecture/Thinktecture.IdentityModel.45/tree/master/Samples

(Why do you need more reputation to comment on SO than to answer?)

psaxton
  • 1,693
  • 19
  • 24