I'm trying to learn how I can authorize my web api calls so that when the call is made I can make sure it's being called from a valid site.
I've added the [Authorize] attribute to my API Contoller, what's the next step since these will be resful calls? Is there a key generator that I would need to use?
HTTPS calls can optionally have a client certificate which can be used by the clients.
A practical replacement is using username/password.
There is a Referer HTTP header in the request that can be checked (if it has been referred from another page/site) but you cannot really call it security. http://en.wikipedia.org/wiki/HTTP_referrer
MasterV23
Member
113 Points
318 Posts
How to authorize a Web API's use?
Apr 26, 2012 12:14 PM|LINK
I'm trying to learn how I can authorize my web api calls so that when the call is made I can make sure it's being called from a valid site.
I've added the [Authorize] attribute to my API Contoller, what's the next step since these will be resful calls? Is there a key generator that I would need to use?
dbaier
Member
264 Points
66 Posts
MVP
Re: How to authorize a Web API's use?
Apr 26, 2012 12:55 PM|LINK
...and how would you identify a "valid site" ?
dominick
_____________________________
Dominick Baier - http://www.leastprivilege.com
aliostad
Member
228 Points
55 Posts
Re: How to authorize a Web API's use?
Apr 26, 2012 01:26 PM|LINK
HTTPS calls can optionally have a client certificate which can be used by the clients.
A practical replacement is using username/password.
There is a Referer HTTP header in the request that can be checked (if it has been referred from another page/site) but you cannot really call it security. http://en.wikipedia.org/wiki/HTTP_referrer
MasterV23
Member
113 Points
318 Posts
Re: How to authorize a Web API's use?
Apr 26, 2012 01:36 PM|LINK
So for authticating Restful services wouldn't you want to try an encrypted key to verify? Just thinking out loud.
MasterV23
Member
113 Points
318 Posts
Re: How to authorize a Web API's use?
Apr 27, 2012 12:30 AM|LINK
dbaier
Member
264 Points
66 Posts
MVP
Re: How to authorize a Web API's use?
Apr 27, 2012 05:09 AM|LINK
Well - OAuth has a number of parts.
But if you are looking for a way to do token based authentication, I've written the necessary plumbing for that:
https://github.com/thinktecture/Thinktecture.IdentityModel.Http
dominick
_____________________________
Dominick Baier - http://www.leastprivilege.com
MasterV23
Member
113 Points
318 Posts
Re: How to authorize a Web API's use?
May 15, 2012 11:43 AM|LINK
So what is best to use? OAuth or Token?
Also I clicked the links at the bottom of that page but I got "Page Can Not be Found" error.
dbaier
Member
264 Points
66 Posts
MVP
Re: How to authorize a Web API's use?
May 15, 2012 02:26 PM|LINK
I moved my blog. The links are updated now.
dominick
_____________________________
Dominick Baier - http://www.leastprivilege.com