Authentication between mvc and webapi (Separate domains/Applications)

16
votes

im looking for good ideas/resources/implementations for the following scenario

A MVC website at http://mywebsite.com

A Webapi REST service at http://myapi.com

IMPORTANT -- Please notice the separate domains/Applications..

A user logs in at the website and data is fetched from the API via JSONP/CORS

Obviously i dont want the user to authenticate on the webapi using basic authentication. But the API is also exposed to Android/IOS apps, so i need the basic auth

I've thought about returning a token from the MVC site and then writing a DelegatingHandler at the webapi site to authenticate using that token, but i would like some inputs, or perhaps even better solutions

I made a pretty diagram just for the occation:

Diagram

2
c#asp.net-mvcauthenticationcross-domainasp.net-web-api
What's your question? The token solution sounds fine. - Dante May Code
A user logs in at the website and data is fetched from the API via AJAX - how does this happen if the WebAPI is on a different domain? - Darin Dimitrov
@DanteisnotaGeek The question is: "but i would like some inputs, or perhaps even better solutions" - Lars Nielsen
@DarinDimitrov I dont follow you. The problem is authentication between the apps, which the question is about. - Lars Nielsen
But @DarinDimitrov has a point. A cross domain AJAX request is not possible, with or without authentication. - Wouter de Kort♦

2 Answers

9
votes

Although JSONP works also consider using CORS some examples of WebApi implementation here.

Consider following a standard (at least a draft) for your token rather than creating your own. Json Web Token (JWT) seem to be a good approach the specification here includes the format and determines the encryption or signing approach. There are libraries to support this kind of token such as the Thinkteckture Identity Model this article covers some of the usage of that library and the JWT. Google have a good dev guide here.

Disclaimer, only consider the above having read about some of the OAuth and JWT standardization criticisms.

If you did use a HTTP header, I am not sure you need a custom header (@Vipul) the "Authorization :" header is there for this kind of information.

If you are using a custom token, ensure it has an expiration date, consider using a nonce if you want to protect against replay attacks and sign or encrypt using a well known algorithm.

Agree with you that delegating handler is a good place to put token validation. An ActionFilter is called much later than necessary in the stack and the middle ground would be to implement System.Web.Http.AuthorizeAttribute.

1
votes

token solution sounds good.

Get the authentication token from MVC application, you can send that token with each API request in some custom header. Create an ActionFilterAttribute and in OnActionExecuting you can verify the token and act accordingly.