Hi.
I am trying to build a self hosted WEB API and have dificulties figuring out the correct implementation.
What i need is custom authentication (BASIC). Role based authorization.
I have seen many approaches on how to implement this but no clear way on how this can be done.
What i want is that the client applications desktop/mobile will only need to authenticate once with a function or a first api call and will not need to resend credentials or tokens with each and every call.
As i understand for custom authentication i will need to use custom UserNamePasswordValidator?
Once authentication is done i will need to have a custom IPrincipal assigned to the current thread and checked with custom
Authorize attribute?
> What i want is that the client applications desktop/mobile will only need to authenticate once with a function or a first api call and will not need to resend credentials or tokens with each and every call.
You will need to authenticate every request, unless you establish some sort of security session (ex using cookies). With HTTP each request is independent of any other so there has to be something in the request that lets your HTTP endpoint know the request
is coming from who you think it is.
> As i understand for custom authentication i will need to use custom
UserNamePasswordValidator
Yup, for Basic auth using the UserNamePasswordValidator is the way to go. You'll need to configure the HttpBinding used by the HttpSelfHostServer to enable Basic auth as well.
>Once authentication is done i will need to have a custom IPrincipal assigned to the current thread and checked with custom
Authorize attribute?
I found this approach with MessageHandler and it was perfect for my situation
BUT I discovered that Basic Authentication only works with ASCII encoding for Username and Password :(
Perhaps i can have the client to provide the credentials in as custom HTTP Headers? What do you think is that a common approach ?
Edit
Ok its seems that the root of the problem was the encoding of credentails from the client side and it is possible to encode them in UTF so i guess the problem is solved.
I found this approach with MessageHandler and it was perfect for my situation
BUT I discovered that Basic Authentication only works with ASCII encoding for Username and Password :(
Is there any workaround for that ?
Perhaps i can have the client to provide the credentials in as custom HTTP Headers? What do you think is that a common approach ?
Are you saying that the credentials you have aren't username/password? If you have some token type to pass, then this is fine. Again, the Thinktecture IdentityModel library allows for common/popular token formats, including JWT.
dabuzz
0 Points
6 Posts
WEB API Autentication / Authorization
Jan 18, 2013 10:11 AM|LINK
Hi.
I am trying to build a self hosted WEB API and have dificulties figuring out the correct implementation.
What i need is custom authentication (BASIC).
Role based authorization.
I have seen many approaches on how to implement this but no clear way on how this can be done.
What i want is that the client applications desktop/mobile will only need to authenticate once with a function or a first api call and will not need to resend credentials or tokens with each and every call.
As i understand for custom authentication i will need to use custom UserNamePasswordValidator?
Once authentication is done i will need to have a custom IPrincipal assigned to the current thread and checked with custom Authorize attribute?
Is there any clear guide on this ?
Thanks.
BrockAllen
All-Star
27554 Points
4912 Posts
MVP
Re: WEB API Autentication / Authorization
Jan 18, 2013 02:55 PM|LINK
The Thinktecture IdentityModel security library and associated blog posts should give you what you need.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
danroth27
Member
174 Points
40 Posts
Microsoft
Re: WEB API Autentication / Authorization
Jan 18, 2013 04:07 PM|LINK
> What i want is that the client applications desktop/mobile will only need to authenticate once with a function or a first api call and will not need to resend credentials or tokens with each and every call.
You will need to authenticate every request, unless you establish some sort of security session (ex using cookies). With HTTP each request is independent of any other so there has to be something in the request that lets your HTTP endpoint know the request is coming from who you think it is.
> As i understand for custom authentication i will need to use custom UserNamePasswordValidator
Yup, for Basic auth using the UserNamePasswordValidator is the way to go. You'll need to configure the HttpBinding used by the HttpSelfHostServer to enable Basic auth as well.
>Once authentication is done i will need to have a custom IPrincipal assigned to the current thread and checked with custom Authorize attribute?
Correct.
Senior Program Manager
ASP.NET
dabuzz
0 Points
6 Posts
Re: WEB API Autentication / Authorization
Jan 22, 2013 03:36 PM|LINK
Thank you for your responses.
I found this approach with MessageHandler and it was perfect for my situation BUT I discovered that Basic Authentication only works with ASCII encoding for Username and Password :(
https://bitbucket.org/pwalat/piotr.basichttpauth/src/da7802eab6d1/Piotr.BasicHttpAuth.Web/BasicAuthMessageHandler.cs
Is there any workaround for that ?
Edit
Perhaps i can have the client to provide the credentials in as custom HTTP Headers? What do you think is that a common approach ?
Edit
Ok its seems that the root of the problem was the encoding of credentails from the client side and it is possible to encode them in UTF so i guess the problem is solved.
Thanks!
BrockAllen
All-Star
27554 Points
4912 Posts
MVP
Re: WEB API Autentication / Authorization
Jan 24, 2013 01:22 AM|LINK
Are you saying that the credentials you have aren't username/password? If you have some token type to pass, then this is fine. Again, the Thinktecture IdentityModel library allows for common/popular token formats, including JWT.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/