Last post Apr 14, 2016 03:02 AM by Yohann Lu
Apr 13, 2016 05:48 PM|amit_ask|LINK
I read almost every where Secure your Web API with Token based authentication.
Like these articles
Secure a Web API with Individual Accounts
Authentication and Authorization in ASP.NET Web API
But I could Only advantage of using OWIN and Katana is
1- It simplify the login with External Identity .
2- It reduces the no of request to Db to authorize the USER, as It does not hit the DB. It authorize the USER using access_token
as access_token contain all the data related to User for authorization.
But at the very first step of this process, It accept the user data (username and password for login) in plain formate (application/x-www-form-urlencoded) . which easily can be accessible in the middle for Web API and Client.
1- Is there any strong reason to accept the user data in url-encoded format ?
2- How it is secure apart from simplicity? , as we can authorize the user using basic authentication too .
Apr 14, 2016 03:02 AM|Yohann Lu|LINK
From your description, I suggest you can refer the following tutorial. These articles have a more detailed explanation of OWIN security. You can get some ideas from them.
1: ASP.NET Web Api: Understanding OWIN/Katana Authentication/Authorization:
2: What's the difference between EscapeUriString and EscapeDataString: