All geek questions in one place

Authentication for MVC4 Web Api

I am trying to protect my MVC4 Web Api. In fact, I really need an identity provider with some easy protection. My service is similar to twitter, from a security point of view, there is not much private data, but the service really needs to know the user ID for the caller.

It is also important to know that the web service will only be used by mobile devices right now, although the website may accompany it in the future.

someone and the Internet led me to Thinktecture.IdentityModel, but the person seems complicated and I can find exactly zero documentation or samples. I have not had a pleasant claim-based authentication experience yet. I don’t have a request server, token provider or anything like that, and it seems to you that you will need to use this method. It all seems hard for my situation.

I also read about people implementing their own HMAC solution (https://github.com/cuongle/WebAPI.Hmac) or using OAuth (https://github.com/maksymilian-majer/DevDefined.OAuth) but they also seem a bit complicated (I read that OAuth without a helper class is enough to make the best developers cry, and I'm not the best). Janrain looks like it might work, but it looks like you have to pay for more than 2500 authenticated users per year ...

What is the best way to implement a simple identity and security provider for Web Api?

Thanks!

+4
source share
3 answers

I tried to answer a similar question before creating an OAuth 2.0 service provider using DotNetOpenAuth , where I dedicated the Identity Identity Identity Server . The setup instructions are not too complicated (IMHO) The installation video here should help a lot.

I also updated my older answer, but there is a pretty simple example of O-Auth 2.0 implementation. Sample code here http://code.google.com/p/codesmith/downloads/detail?name=OAuth2.zip&can=2&q=#makechanges

You also read this well-worded question here. Authentication of requests from a mobile application (iPhone) to ASP.Net web interface (feedback requested in my project)

+4
source

Well, security is complicated :)

Regarding Thinktecture.IdentityModel is a token processing library (among other things) that you will use in your WebAPI application. You would use this, so you do not need to make logic to accept tokens (basic auth, SAML, SWT, JWT). Claims are only a side effect.

If you are looking for an identity provider, then the open source sister Thinktecture.IdentityServer is in beta for version 2. It is an identity provider that supports a custom database and issues tokens. Project URL:

http://thinktecture.github.com/Thinktecture.IdentityServer.v2/

+1
source

In response to the problem of finding example code as documentation, consider the samples folder in the Thinktecture github repo: https://github.com/thinktecture/Thinktecture.IdentityModel.45/tree/master/Samples

(Why do you need more reputation to comment on SO than to respond?)

+1
source

Source: https://habr.com/ru/post/1440432/

More articles:


All Articles