18

I have a web service built with WebAPI that accepts JSON requests and responds accordingly. The core architecture is built but there isn't any authentication/authorization.

After a lot of googling and poking around sample projects, I'm not sure where to start. I've found a ton of material from 2008 and 2009 but not a whole lot of recent guides/workflows for WebAPI / single page apps. I think the workflow should be as follows:

  1. Check to see if the user is logged in: How can this be done with javascript? Do I send a cookie to my webAPI? If so, do I send that cookie as a parameter in the body of the request?

  2. Let the user log in / register: How is this data encrypted/decrypted? Surely I can't be sending passwords over the wire... is this where SSL comes in?

  3. Provide them with access to what they have rights to access: I think I got this - I can just authorize in the controllers on a per-request basis.

Any info would be awesome.

Brian Rogers
  • 125,747
  • 31
  • 299
  • 300
SB2055
  • 12,272
  • 32
  • 97
  • 202
  • there is a good book on this stuff that just came out recently: http://www.amazon.com/Pro-ASP-NET-Web-API-Security/dp/1430257822/ref=sr_1_1?ie=UTF8&qid=1365075222&sr=8-1&keywords=web+api+security – Evan Larsen Apr 04 '13 at 11:34
  • Ordered! Thanks Evan – SB2055 Apr 04 '13 at 18:38

2 Answers2

8

Basically you need a token based authentication or authorization. If you are referring to the ASP.NET WebAPI, the following project will be a great place to start: http://thinktecture.github.com/Thinktecture.IdentityModel.45/

Even if you are not using ASP.NET WebAPI, the following video is a great introduction on how to provide authentication/authorization on RESTful web services: http://vimeo.com/43603474

To answer some of your questions:

Check to see if the user is logged in: How can this be done with javascript? Do I send a cookie to my webAPI? If so, do I send that cookie as a parameter in the body of the request?

You can use a cookie but I normally use the header in order to avoid common XSRF attacks. Cookies are automatically included whenever a http request is sent from the browser.

is this where SSL comes in?

Yes. If you are going to go ahead with the token based approach, you can use a separate server (Identity Server) to do the authentication for you.

yoneal
  • 313
  • 1
  • 10
  • Or he can just use Forms Authentication. Token based auth might be overkill – Evan Larsen Apr 04 '13 at 11:47
  • 1
    @EvanLarsen Forms Authentication *is* token based. – Snixtor Apr 05 '13 at 03:10
  • 1
    Woudl forms auth work w/ mobile devices - i.e. - android/iphone/ipad? – bbqchickenrobot Aug 14 '13 at 07:14
  • If you will use whatever http client library available in your platform. In android, you should be able to use [HttpUrlConnection](http://developer.android.com/reference/java/net/HttpURLConnection.html). `setRequestProperty()` will be interesting in particular. – yoneal Sep 02 '13 at 03:46
3

JavaScript clients are unique. Do you have the Web API and the page serving up JavaScript in the same domain? If not, you have same origin policy restrictions. If you have the same Web application hosting the web pages and Web API, you can use forms Authn. In that case, you don't need to send the cookie containing the authentication ticket yourself from JavaScript. Browsers do that for you and that is the cause of XSRF problem. You have to be careful about JavaScript sending credentials that the end user is not supposed to know. If JavaScript knows something, any intelligent end user can get to that knowledge. OAuth 2.0 implicit grant could be a good choice. The end user enters the credentials (password) in the authorization server which issues an access token. JavaScript gets the token and presents it to the web API but it will never have access to the credentials.

Badrinarayanan Lakshmiraghavan
  • 19,159
  • 4
  • 62
  • 61
  • Thanks Badri. The JS client is in a different domain - the client and API are decoupled. That said, what are your thoughts on Basic Authentication + SSL? – SB2055 Apr 09 '13 at 15:35
  • 1
    JavaScript client (browser) + Basic Authn even over SSL is susceptible to XSRF. You can use something like Thinktecture identity server for issuing tokens over OAuth 2.0 implicit grant. JavaScript client can request for an access token this way and present it to the web API in bearer scheme. That will be my #1 choice. You can use Basic Authn but then you must make all GET requests to your API nullipotent and probably safeguard other methods someway like how they implemented anti-forgery tokens for MVC. My book covers this option. – Badrinarayanan Lakshmiraghavan Apr 09 '13 at 16:01
  • Thanks so much for the quick response. Your book just landed on my doorstep - I'm looking forward to digging into it. – SB2055 Apr 09 '13 at 16:25