I'm designing a RESTful API for school. After looking through the documentation it doesn't look like I do authentication through the RESTful API, it has to be done on the front end and then check against my API. Is this correct? Or am I reading the documentation wrong?
Total noob trying to build this super fast because my team is relying on me. Any help would be appreciated.
Authentication is the responsibility of the host i.e. IIS for example. Web API can participate by requiring that only authenticated users can access either;
- all controllers
- a specific controller or;
- a specific action inside a controller;
by applying the [Authorize] attribute appropriately. If no specific user/users OR role/roles have been specified in the [Authorize] attribute, all authenticated users will be allowed access else, only the specified ones.
Hope this helps.
"A RESTful API" is, basically, an API which employs "web URLs" as the basic format for the request: the parameters to the request appear as /slash/separated/parts/of/the/url.
"Authentication and authorization" concerns are usually excluded from the design of such an API, although sometimes "such-and-such random string" is required to appear at a certain position in the request. (This is often simply required for "browser cache-busting.") The HTTP protocol already provides the ability to transparently send "additional information" with every request: we call these things "cookies." Web servers (Microsoft's Internet Explorer comes to mind) and Application servers often provide other ways by which they can identify clients. Thus, the design of the API itself can often "just stick to the business at hand."
Yes, you might need to design an API-call that is used to present authentication/authorization credentials ... although, in practice, this is rare. But, for the majority of your RESTful calls, you should not have to continue to be concerned with such things, that is to say, "within the actual text of the REST-strings themselves." Other means exist in the HTTP protocol by which this additional information can be conveyed to the host.
