Windows and Token Auth for same WEB API

0
votes

Ok, I have this scenario.

I have one WEB API which will provide functionality to an intranet application, the idea is this application WILL not be visible to the outside world, so it wont have a login page.

However, the web api will also be consumed by mobile apps outside the organization, so the webapi WILL be exposed via a public url.

How can I make the authentication/authorization here to support both scenarios? 1. Internal users will be able to consume the web api via the angular backend app without an explicit login page. 2. External users via the mobile app will consume the web api with their active directory account.

I found this: https://stormpath.com/blog/token-authentication-asp-net-core

where I could easily replace the GetIdentity Method to go to Active Directory and check if user exists with that user and password, but on the intranet, I wont have that info.

ideas please?

1
c#asp.net.netasp.net-web-apixamarin

1 Answers

1
votes

The best way to handle such a scenario is to use HMAC Authentication as discussed here. This will allow easier access to the piblic endpoint without requirering some kind of a login from the mobile clients, while at the same time enabling you to know which mobile is acceessing your endpoint. This is the same workflow as implemented in External Auth services like login with google and facebook where you are given an apikey and a apisecret

YOU CAN FIND THE SOURCE CODE OF THE EXAMPLE USING ASP.NET HERE