ASP.NET Web API authorization and Authentication

2020-05-20 12:27发布

I'm trying to build a secure asp.net web api. You can find a lot of ways of how to secure your API, but I want to know what is the best way or the 'industry standard' to implement this for my case.

These are my requirements - The API will be used by a small number of third-party developers for websites/mobile apps etc. - Developers who want to use this API have to be given a key to access the API (Authorization) - Users (Visitors/consumers) have to login into the third-party apps to see their personalized information. - The API will use an ASP membership database for managing/authenticating the users.

I know it's possible to use http basic authentication for authenticating users, but how do I implement the authorization part of the API?

Is OAuth 2.0 a solution?

2条回答
\"骚年 ilove
2楼-- · 2020-05-20 12:31

I would also suggest the use of the Thinktecture.IndentityModel.40 library that can support the following:

Base

  • Base64Url encoding
  • Epoch Date Time conversion
  • Random number generation
  • Time-constant string comparison

Claims

  • Anoynmous claims principal
  • Authentication instant claim
  • Claims-based authorization

Constant

  • Useful constants when dealing with algorithms, date time formats, JWT, SWT, WS-Security & WS-Trust

Extension Methods

  • XML (to and from XmlReader, XmlDocument, XDocument)
  • WS-Trust RSTRs
  • Security token conversion
  • X.509 Certificates
查看更多
可以哭但决不认输i
3楼-- · 2020-05-20 12:47

There is a very good article describing the authentication/authorization with token/key:

It also describes some other good practices regarding ASP.NET Web API security.

查看更多
登录 后发表回答