5

I've watched and viewed lots of pages on securing asp.net web api's - including: http://weblogs.asp.net/jgalloway/archive/2012/03/23/asp-net-web-api-screencast-series-part-6-authorization.aspx and http://weblogs.asp.net/jgalloway/archive/2012/05/04/asp-net-mvc-authentication-customizing-authentication-and-authorization-the-right-way.aspx - however, I've not yet seen a KISS type example.

If I have a web api, which returns a list of cars for example - and I am working with a 3rd party (ie. not my own website or server/domain) who wants to query (get) and insert (post) lists of cars by a type, into my database, how so I authenticate them (via https)?

Do they simply add (into their JSON GET/Post) something like:

[
{"username":"someusername","password":"somepassword",
{
"carTypeID":12345,
"carTypeID":9876}
"carTypeID":2468}
}
}
]

I can then grab the username and password, and check against my membership database in .net, and "IfUserAuthenticated" go on to process the rest of the JSON?

Or is there a better way of doing this? I've heard of adding details to headers etc - but I'm not sure if that's for a reason, or over complicating it. I've also heard of setting tokens which are sent back to the 3rd party - if that's the best method, what instructions do I give them got building their side of the app that will use my API?

Thanks for any advice/pointers,

Mark

Improve this question
1
  • In addition to the basic auth approach in the accepted answer, see this question and Darin Dimitrov's answer about how to use Forms authentication: stackoverflow.com/questions/11014953/… Commented Jun 13, 2012 at 15:14

3 Answers 3

Reset to default
4

If you want to keep it simple you can use Basic authentication. Over SSL it's quite secure. It simply involves adding a header to the request:

Authorization: Basic <username:password encoded as base64>

You can find a way to implement it here.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Hi @carles-company - thank you for replying. I'd viewed that post too - but can't see (or more likely, don't have the knowledge yet) of what to tell the 3rd party in order for them to authenticate. The article advises to "leave it up to them to figure out", but helping them, has benefits to both parties - so I'd like to be able to say "do this, do that, you will get the list of cars" - Thank you again, Mark
The third part just has to add the Authorization header. See en.wikipedia.org/wiki/Basic authentication for more details.
Thanks @Carles-company - I'll look more closely at that - it's obviously an area I just need to learn! Cheers, Mark
3

You can use HTTP Basic authenticaiton along with SSL. Its very simple to implement using message handlers and is supported out of the box on many platforms. See my blog for an example (it is very easy to integrate with membership provider of your choice)

http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-message-handlers/

Improve this answer

Comments

0

I've written something similar for the Web API:
http://remy.supertext.ch/2012/04/basic-http-authorization-for-web-api-in-mvc-4-beta/

It's in use at a few places now and we've been using it since about 2 month in production. Seems to work fine.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.