.Net WebApi - Bearer Token Security and Browser Local Storage

0
votes

I have a WebApi with ASP.Net MVC5 Framework that implements Bearer Token security.

Once the user is authenticated, a webapi method returns the bearer token for the next api calls that requires authentication.

All works properly but I need to clarify some doupts:

After the token is returned to the client, another client call to a webapi method returns the user details and all is stored in the browser local storage.

My question is:

I think that the local application ( made with Angular2 ) is not secure because it use local storage with token and user details.

If the user change the user details in the local storage ( like role for example ), he can impersonate another role...

Now, is the problem real? And if it is, is it possible to implement navigation Session in the WebApi even if the authentication is used with bearer token ?

Thanks to support

1
c#asp.net-web-apibearer-token
Your bearer token is encrypted by Asp.Net Identity, and that token should contain the roles that the user belongs to.Brendan Green
adding to @BrendanGreen, reffering this may be helpful to your case, stackoverflow.com/questions/17280390/…Anil

1 Answers

1
votes

I found this perfect article: http://bitoftech.net/2015/01/21/asp-net-identity-2-with-asp-net-web-api-2-accounts-management/

This is exactly what I was searching for.