ASP.NET Web Api - Authorization from Request Values and API Security

Question

ASP.NET Web Api - Authorization from Request Values and API Security

While developing and learning ASP.NET web APIs, I ran into several issues that I need for help and discussion.

Inspired by this excellent message about developing a Secure REST API without OAuth, I wonder how best to go about checking the various tokens and information that I intend to ask for.

Short summary - I will ask (in querystring) the following information ..

user ID
api key
Time stamp
a hash based on the secret key that the user issued and hashed along with the request values

My question / interesting:

If this is a sound approach, what is the best way to implement this using the ASP.NET Web API?

I am currently thinking of using a custom attribute that I can mark with my own methods, like the Authorize attribute, which captures the requested query string or some POCO object that contains all the values, and I can use to save all the authorization type code in one place .

Does anyone have experience or thoughts?

Thanks:)

+6

asp.net-web-api asp.net-mvc-3

Matt f Feb 28 '12 at 21:38

source share

1 answer

paulius_l · Accepted Answer · 2012-02-28T22:00:24+0000

Currently, as you can see, the Web API uses the AuthorizeAttribute approach. I think this is a pretty good approach, since we can put this attribute on separate elements that require authorization.

I made authorization by expanding System.Web.Http.Filters.AuthorizationFilterAttribute . Once you expand it, all of the authorization information will be up to you and you will have many options to choose from.

ASP.NET Web Api - Authorization from Request Values ​​and API Security

More articles:

ASP.NET Web Api - Authorization from Request Values and API Security