Initial API token before user authentication - .NET core Web API
Question
I have a web application in which i have to call a some APIs after and before user login. I would like to secure the calls before login as well. Like, SaveUserAPI, ForgotPasswordAPI while signing up.
I have used JWT token mechanism for generating token after use logged in, in the subsequent calls this token will be used for API authentication.
How should i make the SaveUserAPI, ForgotPasswordAPI calls which are called when user is not logged in? Can you provide some valuable suggestions to approach this?
1 answers
solution1
1 ACCPTED 2020-09-04 03:29:22
If you're using OAuth2, you can generate two kinds of authentication mechanisms for your APIs.
- client-credentials flow: machine-to-machine auth using bearer tokens
- implicit or authorization_code flow: this will be used APIs requiring user's identity
Then you can use Policy/Scope on your APIs to lock down the Register, Forgot Password kind of APIs to use client-credentials and the other apis can use the implicit/auth code flow.
I've done the same in my backend API which is being used by SPAs and mobile apps.
None of my apis allows anonymous access. This means the app needs to authorize and manage two tokens, one for non-user endpoints and the other token for user-linked apis.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.