I'm trying to build a secure asp.net web api. You can find a lot of ways of how to secure your API, but I want to know what is the best way or the 'industry standard' to implement this for my case.
These are my requirements - The API will be used by a small number of third-party developers for websites/mobile apps etc. - Developers who want to use this API have to be given a key to access the API (Authorization) - Users (Visitors/consumers) have to login into the third-party apps to see their personalized information. - The API will use an ASP membership database for managing/authenticating the users.
I know it's possible to use http basic authentication for authenticating users, but how do I implement the authorization part of the API?
Is OAuth 2.0 a solution?
I would also suggest the use of the Thinktecture.IndentityModel.40 library that can support the following:
Base
Claims
Constant
Extension Methods
There is a very good article describing the authentication/authorization with token/key:
It also describes some other good practices regarding ASP.NET Web API security.