Last post Nov 22, 2014 08:34 AM by DaveJohnsonO2O
Nov 21, 2014 06:37 PM|DaveJohnsonO2O|LINK
I'm doing a lot of reading to get a good approach to applying security to protect a public facing Web.API. The hypothetical scenario is that the web application which potentially could be on a different server from the Web.API has most of its logic coming
from the Web.API. But each time the web app calls to the api I would not want the api to just answer without some kind of authentication. Neither would there necessarily a logged in user in the site to use and in any case it would not be this user and their
roles the api would be interested in this case. The way I was thinking of doing this was almost like having username/password type credentials for the web application being passed to the api when a request is being made. But I want it to be as lightweight
I'm currently going through the book:
http://www.apress.com/microsoft/asp-net/9781430257820 which goes into some detail about technologies such as OAuth.
I just wanted to know for this type of scenario what technologies you would use yourselves and any links on them would be great.
Nov 21, 2014 07:17 PM|BrockAllen|LINK
Yes, OAuth2 is the standard for securing APIs these days. The trick is that you need an OAuth2 authorization server to issue tokens, and the katana implementation from Microsoft is soon to be deprecated and won't be continued in ASP.NET 5. So you can either
pay for a product, or a SaaS, or you can consider an open source project that you host yourself. Depending on your requirements some of those may or may not be appropriate.
Nov 22, 2014 08:34 AM|DaveJohnsonO2O|LINK
Thanks Brock the approach you recommend seems like the most future proof approach.