Using Web API w/ OWIN middle-ware as a shared resource among apps

Question

I'm interested in creating a shared Web API with OWIN middle-ware that could service a number of different applications. This concept would require the /Token route and the api/Account/Register route to be able to hit different databases based on a request parameter informing it of which app is calling. After reading up on OWIN I'm not seeing anything about how to accomplish this. Would having one Web API per application be the recommended way to go? Or is the original concept doable?

I certainly appreciate any input.

======[Edit, after reading @William's response]=========================

The concept is a single-sign on scenario where there's a legacy application which handles it's own security through Forms Authentication, but now it's desired to have a number of satellite applications that the users can have access to, depending on which ones they have purchased access to.

The Web API is to be the broker for managing the tokens for all of the satellite applications. Due to the fact that access to the satellite apps is on a paid basis the tokens would need to be separated some how.

There's also the possibility that some company partner might want access to their site sold and for reasons unclear to me at the moment it is believed that these partners would want the tokens stored in their own database. So, the Web API would need to be able to partition off the tokens to meet those needs.

Once the satellite application (these are going to be spa's) was hit by a user it would then communicate with the Web API for all it's data-layer work.

The part where @William says 'each application would have to share the same userstore' sounds bad ;-) I have a feeling this isn't going to work out.

And it's going to have to be a custom OWIN implementation, since the legacy app is the driver.

Answer 1

It sorta sounds like your looking for a central authentication service/server that many applications would use to authenticate?

The different databases thing does throw me. Are you saying upon authentication, the user would have access to a particular database? Or are you saying multiple identity stores to authenticate from?

For a centralized authentication solution I would suggest identity server (WIF) both/or authorization server (OAUTH) from thinktecture. Each application would be a relying party.

If you really want to do a custom owin solution, you can do a single api solution that does bearer authorization and use that token in your other applications but you would need to implement ISecureDataFormat so that each application can decrypt the token to to get the identity and each application would have to share the same userstore.

Just a heads up, decryption doesn't really mean you can trust a token, it really should be signed and verified to have complete trust. depends on your needs and risk you're willing to take.