Securing Web API /Token Endpoint

Question

I have a Web API project that follows the basic account authentication process outlined here: http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api. My question is should I secure the /Token enpoint with SSL (or something else)? Otherwise, the API call to "myURL/Token" is just sent via clear text with the username and password in its body?

I read up this post on Web API SSL: http://www.asp.net/web-api/overview/security/working-with-ssl-in-web-api but I don't know where I should place the [RequireHttps] attribute since the /Token enpoint is not really a controller action.

Thanks for any guidance you can provide!

Answer 1

Yes you should make the Token endpoint as Secure.

In the Setup.Auth.cs file under the OAuthurizationServerOptions you can specify to be Token end point requires SSL or not.

OAuthOptions = new OAuthAuthorizationServerOptions
  {
    TokenEndpointPath = new PathString("/Token"),
    Provider = new ApplicationOAuthProvider(PublicClientId),
    AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
    AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(20),
    AllowInsecureHttp = false
  }; 

The AllowInsecureHttp will force the url to be SSL or not.