For an upcoming project, we have to build a secured web application with ASP.NET MVC. This web application will communicate with an ASP.NET Web API for all the CRUD actions.
The user will have an account on the website, so I was thinking of using ASP.NET Identity. All calls will be in https (by default), but I am not sure how to implement authentication and authorization in the Web API.
Should I use token based authentication?
Do I move the user management of the website in the Web API?
Do I have another set of credentials for my user in the Web API, with one instance of the user in the local database of the website and one in the Web API/central database?
If we implement a multi-tenant architecture where multiple customers coexist in the same environment, will I need to manage token authentication differently? In case that we give access to the API to a third party, I feel like it is not secure to put the Tenant ID in all of the calls, to prevent request forgeries.
We need to split the project that way since the following phases will be to develop a mobile version of this web application, and another one of our web application will use the Web API.
