6

In designing and learning about an ASP.NET Web API I've come across a few challenges I'd like some help and discussion on.

Inspired by this excellent post on designing a Secure REST API without OAuth I'm wondering how best to approach validating the various tokens and information I intend to ask for.

Brief summary is I'll be asking for (in the querystring) the following info..

  • user id
  • api key
  • timestamp
  • a signature hash based on a secret key the user has been issued and hashed together with the request values

My question / wondering is this :

If this is a sound approach, what would be the best way to implement this using ASP.NET Web API?

I'm currently thinking about either using a custom attribute that I can mark my methods with, kind of an Authorize attribute that grabs the required from the query string or some POCO type object that contains all the values and I can use to keep all the authorisation type code in one place.

Has anyone got any experience or thoughts on this?

Thanks :)

Improve this question
1
  • You could probably invoke your auth code in either the global Begin_Request handler or the global Authenticate_Request handler. Commented Feb 28, 2012 at 21:42

1 Answer 1

Reset to default
5

Currently, as you might have seen, the AuthorizeAttribute approach is used in Web API. I think that this is a fairly good approach in that we can put this attribute on individual items that need authorization.

I have done authorization by extending the System.Web.Http.Filters.AuthorizationFilterAttribute. After you extend it, all authorization details are up to you and you have plenty approaches to choose from.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Sure. My BasicAuthorizationFilterAttribute extends the System.Web.Http.Filters.AuthorizationFilterAttribute and then overrides the OnAuthorization method. Since the OnAuthorization method accepts HttpActionContext as its parameter. This object allows me to access the request message and take the required data from there (HttpRequestHeaders.Authorization header in this case). From there, onwards the value has to be checked. If it is valid, the method returns. Otherwise the method assigns the actionContext.Response object and "unsuccessful authorization" response is returned.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.