up vote 0 down vote favorite

For an upcoming project, we have to build a secured web application with ASP.NET MVC. This web application will communicate with an ASP.NET Web API for all the CRUD actions.

The user will have an account on the website, so I was thinking of using ASP.NET Identity. All calls will be in https (by default), but I am not sure how to implement authentication and authorization in the Web API.

Should I use token based authentication?

Do I move the user management of the website in the Web API?

Do I have another set of credentials for my user in the Web API, with one instance of the user in the local database of the website and one in the Web API/central database?

If we implement a multi-tenant architecture where multiple customers coexist in the same environment, will I need to manage token authentication differently? In case that we give access to the API to a third party, I feel like it is not secure to put the Tenant ID in all of the calls, to prevent request forgeries.

We need to split the project that way since the following phases will be to develop a mobile version of this web application, and another one of our web application will use the Web API.

share|improve this question
    
There's a wealth of information already available on this topic. Have you reviewed any of it yet? asp.net/web-api/overview/security – Robert Harvey Feb 19 '16 at 16:07
    
Hi @RobertHarvey, yes I have read and reviewed some information on the topic of securing a Web API and how to manage authentication and authorization, but I'm still new in those platforms. My question was more regarding on how to manage security between the MVC application that has it's own user management and the API that could serve multiple applications. – Fynnen Feb 19 '16 at 17:35

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Browse other questions tagged or ask your own question.