简体   繁体   中英

What is the best practice for user authentication on a C# web api?

I am building a web API that provides data for some applications.

The scenario is something like a web api hosted on Server001 with the methods GET / POST / PUT / Delete available.

In Server002 is a site in another technology, eg PHP, which will use the data that provides the API to present to your users. Websites/ios/android/wp8 other applications can also get data from my webapi (permissions web api, of course).

So I was thinking to generate secret keys for each application registered. The headers of each Get / Post will send this key, and that way I know if an application is allowed or not.

After that, I think about how a user can Login? If the user request log via PHP while in IOS APP I want to know and want to show it to him. Because Gmail does today. So I need to manage the applications and where each user is logged. How could I do this? There are ready solutions?

Is it correct to save on MemoryCache all users logged in all applications? I'm afraid if I have thousands and thousands of users connected at the same time becomes a problem?

I'm totally newbie in security and I do not want to do something now to redo it three months later.

Thank you

I think it will good for you: OAuth (standart for authorization).
DotNetOpenAuth - OAuth library for .NET.

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM