10

I am trying to achieve a simple task: Secure my ASP.NET WEBAPI (built on top of Katana) with BASIC Auth. I know I could implement my own middleware or message handler or whatever. However I'm wondering if such a simple task is not already implemented? I found multiple samples on the web that shows how simple it should be. But all of these samples refer to a nuget package named microsoft.owin.security.basic which I can not find anywhere!? Can you help me?

ardila
  • 1,277
  • 1
  • 13
  • 24
LaurinSt
  • 952
  • 11
  • 25

2 Answers2

7

First of all you should consider NOT doing basic authentication directly - but rather use the OAuth2 authorization server approach - read this first:

http://leastprivilege.com/2013/11/13/authorization-servers-are-good-for-you-and-your-web-apis/

http://leastprivilege.com/2013/11/13/embedding-a-simple-usernamepassword-authorization-server-in-web-api-v2/

If you still want to do basic auth - then in this repo you will find an implementation for Katana:

https://github.com/thinktecture/Thinktecture.IdentityModel/tree/master/source/Thinktecture.IdentityModel.Owin

nuget: Thinktecture.IdentityModel.Owin

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • 3
    hi dominic, thank you very much for your answer. why should i not use basic authentication directly? is oauth2 not a bit overdimensioned for a simple service which communicates by ssl and just should have a basic authentication mechanism? Thank you for the related links, very interesting. – LaurinSt Jan 19 '14 at 17:26
  • 1
    I assume you haven't read the posts yet? All the answers are in there...but in a nutshell - in basic auth you have to transmit the password on every request - this is not really feasible if your passwords are properly protected and stored on the server. My 2nd post shows how you essentially get a "cookies for web apis" approach in 10 lines of code. That is "overdimensionied"? – leastprivilege Jan 20 '14 at 08:06
  • okey, thank you! I'll read the post first, instead of asking obselete questions :) Thank you very much – LaurinSt Jan 20 '14 at 12:12
  • 5
    Using OAuth2 is impossible when you have a client that does not support it. And there are plenty of those, be sure. – Alexey Zimarev Apr 28 '14 at 11:07
  • 1
    Like Alexey pointed out sometimes the developers have no choice, i.e. I have to integrate with a framework what uses basic auth so my API has to support it. It is weird that basic authentication is not built in to OWIN. – user3285954 Dec 28 '14 at 14:28
  • @user3285954 I've used the Thinktecture package in an OWIN/Katana app and can vouch that it couldn't be simpler if owin came with it out of the box! – Sudhanshu Mishra Jun 23 '16 at 07:27
  • @leastprivilege "this is not really feasible if your passwords are properly protected and stored on the server" - this is incorrect. You can use salted+hashed passwords on the server with Basic Authentication - it's conceptually the same as logging into a website by entering your username and password into a `
    ` the way humans do. I think you mean *on the client*. Still, there are ways around this (such as challenge-response but still using Basic Authentication only as an auth transport). OAuth2 is overkill and too complicated for many small projects.
     – Dai Sep 01 '16 at 02:18
  • Link to https://github.com/thinktecture/Thinktecture.IdentityModel/tree/master/source/Thinktecture.IdentityModel.Owin is broken, but NuGet package still available – Michael Freidgeim Apr 11 '21 at 05:41
1

For those looking for a streamlined way of doing basic auth using Web API+OWIN+Katana, use the excellent Thinktecture.IdentityModel.Owin.BasicAuthentication library.

NuGet: HERE and the source: HERE

Sudhanshu Mishra
  • 6,523
  • 2
  • 59
  • 76