4

I currently have a web api 2 project acting as my applications middle tier. I need to secure this project as well as provide an authentication service for my MVC project and potentially iOS and Android applications.

The web api business logic requires the checking of the user permissions/roles to ensure security, the mvc project requires the same functionally to ensure the request to the controllers are valid. How do I do this using Asp.net Identity or some other means? Are there any reference projects for this sort of thing?

Stig
  • 1,169
  • 1
  • 9
  • 12
  • This is something that I am really trying to figure out as well. I have my web layer connecting to my api to retrieve data, etc, but I need to make sure i can authorize properly in both layers. – appsecguy Feb 01 '15 at 20:19

1 Answers1

0

Some good info here: http://www.asp.net/web-api/overview/security/authentication-filters

Another way I've seen it done is have a separate API to generate access tokens for a 'transaction' using whatever credentials you want to use...but usually done via https! This token is then passed by the client to the business layer API as a parameter. Various checks can be carried out on the token e.g. Same client that requested token? Token expired? Token already used? Etc

Let me know how you got on.

Thanks.

UPDATE

Web API Security with local accounts: http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api

Community
  • 1
  • 1
Tim Norris
  • 256
  • 2
  • 10
  • Unfortunately the link is not what I am after. It describes the use a Basic Access Authentication mechanism. That not really what I am after as I will have to store the password hash in a storage mechanism to send with each request. Token is something I have been thinking about, but I assumed that there would be a more integrated way via Asp.net Identity – Stig Mar 02 '15 at 12:43
  • Is this what you're after? http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api – Tim Norris Mar 02 '15 at 21:14
  • 1
    That’s fine for the Web API and probably how an iOS app for example would work but I would need to pass the IPrincipal user back to the MVC application unless I am missing something? – Stig Mar 03 '15 at 09:38