I have just created my first rest service using apicontroller. I am using it with web forms instead of mvc-4. How can i go about implementing security in web service. Keeping in mind that service may be used by clients other than browser how would one go on setting up security.
when we authenticate ourselves from browser against an asp.net application that is using forms authentication, the app returns an authentication cookie which is forwarded by browser on each subsequent request and application knows that user is signed in by decrypting the cookie.
I was watching a tutorial on plural sight about security of web api. They advocate that we should just have a method that can log in users if json data is passed. Once logged in the method will return auth cookie to client (browser and other service clients) and clients should send this cookie on each subsequent request to authorize themselves. Is this auth scheme normal for web services or there is some other recommended way? The question is more about what to implement than how to implement?
Edit: The idea i got from @AliOstad’s answer to this question is that i should create a separate login method for my service that should ideally work on https and this method should return an encrypted auth header including user’s email and time of issue. Once client has acquired the token he can go on to use the service by passing this token in auth header (to andriod app etc.) and I see no problem if the data service (as opposed to login service which should work on https) is operating on http since the token would expire after x amount of minutes. On server side its perfectly ok but how would my client know that his token has expired and he needs to go and get another token before getting the data from data service? My second concern is that if i implement it this way how would i handle ajax calls to data service that are made by asp.net application (asp.net application and web api are running on same application). There (in javascript), i would either need auth token or username and password to get authentication token and neither of them seems feasible?
Any ideas how should i handle these scenarios?
Dominick Baier is an authority in this subject and has a series on this subject in his blog. See the first of the series here.
I cannot really summarise in a sensible small answer and I think you need to go through the posts.
UPDATE
Unlike forms authentication, when user has an expired token and redirected to login screen, Web API communicates with HTTP response codes – since very likely the client is a machine not a human user.
So client agent would not know if it has an expired token, instead when it connects your API using its expired token, a 401 (Unauthorised) response is returned. At this point client will try acquiring a new token.
They would not make an AJAX call, they will either: