In designing and learning about an ASP.NET Web API I’ve come across a few challenges I’d like some help and discussion on.
Inspired by this excellent post on designing a Secure REST API without OAuth I’m wondering how best to approach validating the various tokens and information I intend to ask for.
Brief summary is I’ll be asking for (in the querystring) the following info..
- user id
- api key
- timestamp
- a signature hash based on a secret key the user has been issued and hashed together with the request values
My question / wondering is this :
If this is a sound approach, what would be the best way to implement this using ASP.NET Web API?
I’m currently thinking about either using a custom attribute that I can mark my methods with, kind of an Authorize attribute that grabs the required from the query string or some POCO type object that contains all the values and I can use to keep all the authorisation type code in one place.
Has anyone got any experience or thoughts on this?
Thanks 🙂
Currently, as you might have seen, the
AuthorizeAttributeapproach is used in Web API. I think that this is a fairly good approach in that we can put this attribute on individual items that need authorization.I have done authorization by extending the
System.Web.Http.Filters.AuthorizationFilterAttribute. After you extend it, all authorization details are up to you and you have plenty approaches to choose from.