stackoom
  简体   繁体   中英

Authentication between mvc and webapi (Separate domains/Applications)

 原文  2012-12-10 07:18:49       c#/ asp.net-mvc/ authentication/ cross-domain/ asp.net-web-api

Question

im looking for good ideas/resources/implementations for the following scenario

A MVC website at http://mywebsite.com

A Webapi REST service at http://myapi.com

IMPORTANT -- Please notice the separate domains/Applications..

A user logs in at the website and data is fetched from the API via JSONP/CORS

Obviously i dont want the user to authenticate on the webapi using basic authentication. But the API is also exposed to Android/IOS apps, so i need the basic auth

I've thought about returning a token from the MVC site and then writing a DelegatingHandler at the webapi site to authenticate using that token, but i would like some inputs, or perhaps even better solutions

I made a pretty diagram just for the occation:

图

2 answers

solution1
 9 ACCPTED  2012-12-10 12:30:08

Although JSONP works also consider using CORS some examples of WebApi implementation here .

Consider following a standard (at least a draft) for your token rather than creating your own. Json Web Token (JWT) seem to be a good approach the specification here includes the format and determines the encryption or signing approach. There are libraries to support this kind of token such as the Thinkteckture Identity Model this article covers some of the usage of that library and the JWT. Google have a good dev guide here .

Disclaimer, only consider the above having read about some of the OAuth and JWT standardization criticisms .

If you did use a HTTP header, I am not sure you need a custom header (@Vipul) the "Authorization :" header is there for this kind of information.

If you are using a custom token, ensure it has an expiration date, consider using a nonce if you want to protect against replay attacks and sign or encrypt using a well known algorithm.

Agree with you that delegating handler is a good place to put token validation. An ActionFilter is called much later than necessary in the stack and the middle ground would be to implement System.Web.Http.AuthorizeAttribute .

solution2
 1  2012-12-10 09:18:26

token solution sounds good.

Get the authentication token from MVC application, you can send that token with each API request in some custom header. Create an ActionFilterAttribute and in OnActionExecuting you can verify the token and act accordingly.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question WebApi 2 Authentication and ASP.NET MVC 5 Applications Share Authentication between MVC applications through WIF Negotiate two applications in separate domains Authentication In MVC & WebAPI Website WebApi Authentication is not applied to MVC Shared authentication based on Identity Server 4 between MVC and SPA applications ASP.NET MVC - Same authentication between two applications MVC + WebApi. Authorization and Authentication How to do forms authentication with SignalR (separate domains)? How to manage byte[] params between applications with WebApi
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM