current community

your communities

more stack exchange communities

Stack Exchange
tour help
stack overflow careers
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 5 down vote favorite
5

I've watched and viewed lots of pages on securing asp.net web api's - including: http://weblogs.asp.net/jgalloway/archive/2012/03/23/asp-net-web-api-screencast-series-part-6-authorization.aspx and http://weblogs.asp.net/jgalloway/archive/2012/05/04/asp-net-mvc-authentication-customizing-authentication-and-authorization-the-right-way.aspx - however, I've not yet seen a KISS type example.

If I have a web api, which returns a list of cars for example - and I am working with a 3rd party (ie. not my own website or server/domain) who wants to query (get) and insert (post) lists of cars by a type, into my database, how so I authenticate them (via https)?

Do they simply add (into their JSON GET/Post) something like:

[
{"username":"someusername","password":"somepassword",
{
"carTypeID":12345,
"carTypeID":9876}
"carTypeID":2468}
}
}
]

I can then grab the username and password, and check against my membership database in .net, and "IfUserAuthenticated" go on to process the rest of the JSON?

Or is there a better way of doing this? I've heard of adding details to headers etc - but I'm not sure if that's for a reason, or over complicating it. I've also heard of setting tokens which are sent back to the 3rd party - if that's the best method, what instructions do I give them got building their side of the app that will use my API?

Thanks for any advice/pointers,

Mark

share|improve this question
    
In addition to the basic auth approach in the accepted answer, see this question and Darin Dimitrov's answer about how to use Forms authentication: stackoverflow.com/questions/11014953/… –  Jim Harte Jun 13 '12 at 15:14

3 Answers 3

up vote 5 down vote accepted

If you want to keep it simple you can use Basic authentication. Over SSL it's quite secure. It simply involves adding a header to the request:

Authorization: Basic <username:password encoded as base64>

You can find a way to implement it here.

share|improve this answer
    
Hi @carles-company - thank you for replying. I'd viewed that post too - but can't see (or more likely, don't have the knowledge yet) of what to tell the 3rd party in order for them to authenticate. The article advises to "leave it up to them to figure out", but helping them, has benefits to both parties - so I'd like to be able to say "do this, do that, you will get the list of cars" - Thank you again, Mark –  Mark Jun 11 '12 at 21:16
    
The third part just has to add the Authorization header. See en.wikipedia.org/wiki/Basic authentication for more details. –  Carles Company Jun 12 '12 at 4:54
    
Thanks @Carles-company - I'll look more closely at that - it's obviously an area I just need to learn! Cheers, Mark –  Mark Jun 12 '12 at 8:25
up vote 0 down vote

I've written something similar for the Web API:
http://remy.supertext.ch/2012/04/basic-http-authorization-for-web-api-in-mvc-4-beta/

It's in use at a few places now and we've been using it since about 2 month in production. Seems to work fine.

share|improve this answer
up vote 3 down vote

You can use HTTP Basic authenticaiton along with SSL. Its very simple to implement using message handlers and is supported out of the box on many platforms. See my blog for an example (it is very easy to integrate with membership provider of your choice)

http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-message-handlers/

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.