ASP.NET Web API with Bearer authentication. How to get/add/update unique user data?

Question

Currently I am about to develop my first REST web API!

I'm currently designing how the system will work yet I am a little confused how things are going to work.

Primarily, a mobile app will consume the Web API, but it must be secure!

For example I wouldn't want an un-authed request handled at all. (Apart from a user registering)

I have found that I can use SSL + Bearer tokens to achieve this user authentication. I am comfortable with this and have tested to see how this would work. And it's suitable.

The problem arises when I wish to retrieve the user details. In my system a user would log in to the mobile app which would request the token from the server. If all is good, I can log the user into the app. Great! Now, I need to get the information stored about this user to present to them. ie name, email, reward points etc...

I am unfamiliar with how to add extra user data AND retrieve it with the Web API. I understand that the token can be used to uniquly identify a user. but how can I extend this data?

Currently I have not much more than a blank WebAPI project with the bearer token authentication implemented. Still using the Entity framework. How can I add more fields of data to a user record? Furthermore, how can I update these records? For example, a user has gained some reward points, how can update the user data for this?

One final question, Is this suitable for retaining per user data? ie can I link other data to a userID or something similar?

Apologies for sounding over-curious, I am very new to MVC

The below code in the IdentityModel.cs would seem like the appropriate place to add user data, but how do I add to this? for example adding a field for reward points? then how would I update upon it?

public class ApplicationUser : IdentityUser
    {
        public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser> manager, string authenticationType)
        {
            // Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType
            var userIdentity = await manager.CreateIdentityAsync(this, authenticationType);
            // Add custom user claims here
            return userIdentity;
        }
    }

Answer 1

How I would do it:

• Create ActionFilter that would validate token, it would use your custom class that would leverage DI, it would obviously get the user ID as well

• Now that you know that user is authenticated and you know the user ID just do your regular CRUD based on this user ID

Note: Remember to also validate the payload, since if I send you PUT: /user/887/points {points: 999} I could potentially gain unlimited points.

Answer 2

It's not necessary to use ASP .NET Identity for implementing security in your web API project.

If you use Identity you will have to stick on to "ApplicationUser" and Identity tables for user management where you won't be able to complete your requirement.

A solution is to handle user management with your own custom table and implement security using OWIN middleware classes available for .NET, ie, you need to write code for generating and validating tokens rather than using Identity.