ASP.NET WebAPI authentication over two separate sites

0
votes

Our situation:

  • 1 IIS website running Umbraco CMS, built on WebAPI v1 - www.somesite.com
  • 1 IIS website running a WebAPI v2 - api.somesite.com

We need these two separate sites because our API logic has been build on WebAPI v2 and we don't want to write a separate v1 API just because Umbraco uses an old version which is not compatible with the new version (thanks Microsoft).

On site 1 we want to access the API running on site 2. Some API methods on site 2 require authentication using the [Authorize] attribute. What would be the correct way to authenticate users against site 1 and site 2 at the same time?

1
asp.netauthenticationasp.net-web-api
Sounds like your architect needs to be fired, why would anyone make this kind of decision before looking into these kinds of problems? - BenjaminPaul
If you read the post you'd know why. And it's a hypothetical situation, not a actual realized solution. Obviously. - Erik van Rijn

1 Answers

0
votes

Why not use a Claim based auth token that you could include in the authorization header of the requests. If you are making request on HTTP, then definitely look into encrypting the token. I would not suggest using Basic Authentication even if you were to only use it over SSL but that is also an option.

On site 2, you can either use a custom Authorization filter or a delegating handler to extract and parse the token and set the current user and principal of the context.