I use VS2013 and Web API 2 to create a standalone (using OWIN) RESTful service over SSL using token authentication. Although I'm not a novice developer, this is my first look at ASP.NET technologies, so please keep that in mind.
I have more or less work besides the authentication and authorization parts. I fully understand the difference in user authentication (who is this user?) And authorization of a user who has already verified a user’s access to a resource (can this user access this specific resource?).
A very simple overview of my authorization process is as follows (for the sake of brevity, some assumptions are given):
- An unknown client connects to the API, for example. GET api / values.
- The server responds 401 with this response header: "WWW-Authenticate: Token".
- At the same time, an unknown client knows that you need to connect to another API endpoint: POST api / auth (redirected to the login function), specifying a username and password.
- The server will try to find out if this is a valid user and can accept or reject the user depending on the validity of the credentials.
- (Rejected) The server returns an error status code (403?). The end of the process.
- (Accepted) The server creates a random token (for example, a GUID) and saves it against a user record. Then it sends the token to the client.
- Now the authenticated client reconnects to the API, GET api / values and this time also provides a token.
- .
- ...
- , API, : POST api/auth ( ). , .
, , , , Web API 2.
.., . , ( ). , , , , : , Windows, , , / ASP.NET, OAuth, Thinktecture .
Authorize, IAuthenticateFilter Web API 2. . ? , . , .