I’ve been asked to create an API for clients. Before I begin I have some questions. I’ve decided to use the ASP.NET Web API technology. I’ve created my first method and it works fine, I’m able to return a set of results of products in XML/Json format. The problem is, anyone who accesses my API held at my website will be able to see all my products. I already have a database of customers, how can I use this so that prior to accessing my API, they have to set some credentials.
The API should be accessible to both Web and Desktop clients
One way I thought of doing it, is they pass their username/password along as parameters but this didnt seem very secure/right?. For example: api/products/GetById/750?username=bob&pass=123
You could use AuthorizeAttribute to decorate your controllers/actions.
This can restrict your resources to be available only to authenticated users.
The actual authentication method is another story. By default Web API uses cookie-based ASP.NET forms authentication, which is good if api is directly consumed from a html+js web client.
On the other hand if your API is to be consumed by desktop/mobile apps or plugin base web client, using HTTP Basic authentication may be better as you wouldn’t have to manage cookies (remember to use SSL in this scenario).
You may want to look at my blog post at http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-membership-provider/ which shows how to provide http basic authentication that uses ASP.NET membership and role providers.