Securing ASP.Net Web API with API Key -


i'm developing asp.net mvc 4 web api application application source data different mobile/web client apps. need authenticate user can return correct set of content user. i'm thinking using api key sent every request of web api application. api key identifies user. found post outlines potential solution: from api key user asp.net web api

i need support forms authentication oauth 2.0 facebook, twitter, etc. of these approaches yield token can use send , forth different clients web api can identify user. understand facebook access tokens expire. i'm little confused on what's best way deal facebook interactions. of following paths best way go:

  1. rely on different client apps authenticate against facebook (and other oauth providers) establish facebook access token that's forwarded web api application? means of clients responsible making sure facebook access token not expired. web api app assumes access token valid. seems dangerous me. different apps authenticate user send user information webapi app register user in order user consume data web api app. seems lot of duplication.

  2. make web api application solely responsible interacting facebook (and other oauth providers) on behalf of different client apps using web api. approach seems suggest need build sort of authenticating ui web api app. know asp.net mvc web api can have views , front end stuff, seems me mixing things together. seems web api apps should singularly focused on returning data. users of different client apps register web api app either filling out registration form, or using facebook, twitter, etc. ok mix ui views in pure rest web api application? have start worrying goes uis on different devices, etc.

  3. is there way i'm not seeing?

i appreciate guidance , links examples might have. time.

i suggest below approach:
1. create authentication api authenticate user. if user authenticated successfully, create session (self implemented, may record in db) user.
2. next time user call other apis returns content user. in case must user provider session id (which have created in first step) content. if sessionid provided user not exist @ end, means user not authenticated. in case can return authentication error message user telling needs authenticated first. flexible, scaleable solution in way can store many information regarding user session. once authenticated, user not need authenticated every time calls other apis content. save authenticating user every time.


Comments

Popular posts from this blog

html - How to style widget with post count different than without post count -

How to remove text and logo OR add Overflow on Android ActionBar using AppCompat on API 8? -

IIS->Tomcat Redirect: multiple worker with default -