5

I trying to build an application which uses the webapi 2 and angular js 1 at the front end. I have been researching the security aspects especially token based security.

I could find a lot of things and it's really confusing what to implement like: OAuth, IdentityServer, HMAC and also Auth0.

I checked on HMAC and consumed the webapi through the console application. However, I have not been able to find the project where webapi is consumed by JS based frameworks in the front end (like angular). There are typically console applications with lots of codes. I wonder how am I suppose to do this using Angular js?

I checked on the IdentityServer and found its learning curve bit frustrating for a newbie like me. I have the existing db with the existing users and roles tables. Instead of using default tables provided by Identity, I would like to use my own and write my own authentication logic. But I am not being able to find the resources for these too.

Now I could see an Auth0. Now before diving in I would like to make sure if it is the advisable authentication and authorization framework for webapi.

As I have been asked to implement Token based authentication in the project. I am having hard times figuring out the right approach and the easiest way to do. I have wasted a week and still confused what shall I implement. So, If you have any resources where the webapi security has been performed in an elegant way, please help me out.

Dale K
  • 25,246
  • 15
  • 42
  • 71
Avishekh Bharati
  • 1,858
  • 4
  • 27
  • 44

1 Answers1

0

First of all, I would not recommend using HMAC to secure your API. If your private key is compromised. That means an intruder can access your services easily!

IdentityServer4 and Auth0 both work as authentication & authorization framework(Oauth2 and OpenID connect framework). You can also utilize SMAL, WS-federation etc.

If you approach Identityserver4, you need to maintain the server by yourself. It also involves you need to have an intermediate level of knowledge of Oauth2.0 & OpenID connect protocols. If you are thinking of production application, that means, you also need to host the identityserver4.

Moving to auth0, they provide the whole authentication & authorization out of the box including Social IDP. You just need to navigate through their dashboard to create the application and resources etc. You can use the generous free tier if you don't have a lot of requirements.

Regarding the security, both Auth0 and Identityserver4 are the great and elegant way to secure your resource(API) and applications.

The following architecture should work for both Identityserver4 and Auth0:

  • Your frontend application will redirect the user to /authorize endpoint to authenticate the user( Executing Implicit Grant flow).

GET /authorize? client_id=[Client id]& scope=[Scopes]& response_type=[Response types]& audience=[API Identifier]& redirect_uri=[Redirect URI]& state=abc& nonce=xyz

http://docs.identityserver.io/en/latest/endpoints/authorize.html

https://auth0.com/docs/api-auth/tutorials/implicit-grant

As a result of successful authentication, you application receives idToken and Access token.

  • Use the access token as authorization header when making HTTP request from your front-end application to the web API endpoint.

  • In your API server, validate the token and return the resources. You can use the ASPNET CORE authentication middleware to validate the token.

http://docs.identityserver.io/en/latest/topics/apis.html

https://auth0.com/docs/api-auth

Tanver Hasan
  • 1,687
  • 13
  • 12