ASP.net web API for user authentication.

0
votes

I have to write an api for authenticating the user based on a unique token generated by our user access management providers.

The process it that we have applications developed in php which manages authenticating the user with Username and password. On that php application we have links for other .net and java applications . When the link is clicked , the 3rd party user access management is contacted which in turn gives a unique token something like a guid which is passed as a query string parameter to the .net application. In our .net application is was developed way too old in 2008 it uses a vb script to authenticate that unique token against the 3rd party user management application.

I have done a lot of research and was trying to write a asp.net MVC4 Web Api to get rid of the vb script and make it extendable. Please let me know if my approach is right or what should be used to accomplish the below requirements

  • Api should be able to serve any number of application links provided on the main PHP application.
  • the other applications using this api for authenticating the token would be in java and .net.
  • am I right in choosing mvc4 web api to accomplish the same
  • If yes then what type of authentication should be used (Basic, Forms, etc)
  • Is there any sample code to have a look because I have found many examples which are not that relevant to my scenario.

These java and .net applications should just authenticate based on the unique token which is passed on from the php application.

3
c#-4.0asp.net-mvc-4authenticationasp.net-web-api

3 Answers

0
votes

From the sounds of your request it seems that Thinktecture's Identity Server would be extremely suitable for your needs. If you navigate to the link that will provide a thorough explaination of how it can serve as a Hub for authenticating tokens. I am very confident this will answer your check list of questions!

0
votes

You can use the message handlers for setting the currentprincipal, so something like this:

public class TokenAuthMessageHandler : DelegatingHandler
{
    public TokenAssembler<Token> TokenAssembler { get; set; }
    const string SSOTOKEN = "token";

    protected override System.Threading.Tasks.Task<HttpResponseMessage> SendAsync(
        HttpRequestMessage request,
        CancellationToken cancellationToken)
    {
        Token token;
        IEnumerable<string> headers;
        if (request.Headers.TryGetValues(SSOTOKEN, out headers))
        {
            token = TokenAssembler.Decrypt(headers.First());
        }
        else
        {
            var qs = HttpUtility.ParseQueryString(request.RequestUri.Query);
            var tokenstr = qs[SSOTOKEN];
            if (!string.IsNullOrEmpty(tokenstr))
            {
                token = TokenAssembler.Decrypt(tokenstr);
            }
        }

        if (token != null) 
        {
           var principal = new GenericPrincipal(new GenericIdentity(Username), null);
           Thread.CurrentPrincipal = principal;
           HttpContext.Current.User = principal;
        }
        return base.SendAsync(request, cancellationToken)
           .ContinueWith(task =>
           {
               var response = task.Result;

               if (response.StatusCode == HttpStatusCode.Unauthorized
                   && !response.Headers.Contains(BasicAuthResponseHeader))
               {
                   // redirect to some log in page?
               }
               return response;
           });
    }

You van register the message handler in the webapiconfig like so:

config.MessageHandlers.Add(new TokenAuthMessageHandler() { TokenAssembler = MyTokenAssembler });
0
votes

I found this link to be super simple and useful to decide what to use . I think he has mentioned it in a very simple way .

I have been searching for this kind of an explanation from past 3 to 4 days and finally got it. Though it does not have an actual implementation mentioned for OpenID and OAuth, it is worth reading.

http://jamiekurtz.com/2013/01/14/asp-net-web-api-security-basics/