Last post Jul 08, 2020 04:29 PM by bruce (sqlwork.com)
Jul 08, 2020 01:51 PM|bsiegler|LINK
I currently have a .NET Core Web API that lives behind my company firewall. The client is a .NET Core web app that uses windows integrated security. My users are authenticated as they hit the site. Data is retrieved client side via REST calls to the web
API. The API needs to know which user is making the request, and must be secured. What is a simple and solid way to do this? It seems that Identity Server and OAuth2 is a bit overkill. Thanks in advance!
Jul 08, 2020 04:29 PM|bruce (sqlwork.com)|LINK
for the best security, the web api should authenticate its callers. the web app should authenticate with a service account or https certificate. once the caller is trusted, you can pass the user id as a header or payload parameter. you might want to use
jwt token if you need to pass roles.