在 ASP.NET (MVC5) web api 项目中授权用户

Question

Ok, so I'm struggling a little bit with trying to get a authentication process in my ASP.NET MVC5 (Web API 2) project. To start, here are some requirements:

• I can't use Entity Framework (all access to the DB needs to be done through stored procedures)
• Needs to target .NET Framework 4.5.2
• I am not using ASP.NET Core
• I would like to be able to use Bearer (or similar) tokens for authentication
• I would like to invalidate tokens if a user logs out or automatically invalidate them after 24 hours
• I would like to pass (and receive) XML when sending requests to the "login" (or "token") endpoint (note that ideally the solution should respect the "Content-Type" and "Accepts" headers, so if I send it JSON it should respond in JSON, and if I send it XML it should respond in XML)
• I will not be using external providers (eg Google) anytime soon (maybe never)
• I would like to use the <Authorize> attributes to help with protecting other endpoints
• I am using VB.NET, although answers to this question can be in C# (I can convert them or rewrite them to suit)
• I would like to store the tokens in the database so I can record which user is doing what within the API

(note that there are lots of reasons why I can't change the above)

I've tried to do this with Owin (OAuth) but I've found the following issues when comparing this to the requirements:

• I can't seem to send the token endpoint any XML
• Responses from the authentication endpoints (both successful and unsuccessful) are in JSON
• I can't invalidate the tokens when logging out

I am happy to move away from OAuth if that is the best way to go for what I want. I would prefer to use Microsoft built nuget packages (ie no third party solutions) or I'm happy to partially roll my own solution (I would like to leverage as much of in-built or Microsoft built code, including Identity and Claims as possible so I can minimise testing efforts).

I have read numerous StackOverflow questions about this and search heaps on the internet, but most articles stick with OAuth despite the above issues or they rely on EntityFramework. My current solution uses the code from here (pretty much copy/pasted with some custom code in ApplicationOAuthProvider.GrantResourceOwnerCredentials()): https://www.codeproject.com/Articles/1187872/Token-Based-Authentication-for-Web-API-where-Legac

Thanks for the help!

Answer 1

I did some more extensive research and it looks like OAuth is not applicable for my specific situation. Although it seems like a nice authentication method, I really need to invalidate tokens via the DB, and I need the API to always send/receive XML (these are apparently not applicable when using OAuth).

To solve these problems, I have rolled my own token-based solution that creates a hashed token on the client side, so I never send passwords over the wire (which is a little bit nicer) because the token is generated on the client side (note that I am controlling what happens on the client side - these are all in house clients and I am writing the libraries these clients will use). This involved me creating my own filter which inherits System.Web.Http.AuthorizeAttribute .

If anyone stumbles across this question and provides a really good answer, I'm more than happy to mark theirs as accepted.