What kind of user authentication do I need in for a restful web api

Question

I am doing a restful web api with asp.net Web API 2

I do not want to use any form of cookies or basic authentication (send user/pass in cleartext thus SSL needed)

I do not use/need claims stuff.

I have not decided yet about asp.net self hosting or IIS.

I just want to send an encrypted token between client server via SSL.

I am using Entity framework 6, .NET 4.5.1 and I just want to do CRUD-actions on my user table.

Not more.

What is the project template/library/approach I should start with to do the above?

Answer 1

Use HMAC with a client ID.

The client uses their "secret" salt to sign the message and then send the server the generated hash along with its ID. The server looks up what the "secret" should be based on the ID the client sent, regenerates the hash with the fetched secret as the salt. If the server-generated hash matches the client-provided hash, then the request is legitimate.

I'm not a ASP/.NET person, so I can't provide any info on libs nor technical approach, but here's some pseudo code:

client

var messageBody = 'POST PLAIN TEXT BODY';
var clientId = '12345';
var secret = 'abcdef';
var digest = createHash(messageBody,secret); // function createHash(string,salt)
var url = 'http://example.org/api?clientId='+clientId+'&hmac='+digest;
sendRequest(url,messageBody); // function sendRequest(url,postbody)

server

var messageBody = 'POST PLAIN TEXT BODY';
var clientId = '12345'; // from GET query
var hmac = '...'; // from GET query
var secret = lookupSecret(clientId);
var digest = createhash(messageBody,secret);
if ( hmac == digest ) {
    // success, handle messageBody
} else {
    // error
}

Consider using a nonce to prevent man-in-the-middle attacks, if that is of concern to you.