Web API Authorization Scenario [closed]

Question

Closed. This question needs details or clarity. It is not currently accepting answers.

---

Want to improve this question? Add details and clarify the problem by editing this post.

Closed 8 years ago.

Improve this question

I have implemented ASP.NET WebSecurity Membership and WebAPI in the past but I have never used them both at the same time (never a need to).

Now, I am building a new site, and the client does not need visitors to Register or Login. So there will be no Membership.

The client does however want to be able to retrieve data via WebAPI. This data however may be sensitive and is not something that we want users or hackers to see, so how would I 'Authorize' my client - and only my client - so that she may make API requests, from a client (be it a WinForms desktop app, a mobile app, etc)?

Answer 1

I have something similar implemented in my public-facing API, where some of the methods are only allowed to be called by Administrators.

Administrative method signatures include string parameter that accepts Unique Identifier strings that I have previously assigned to administrator users.

Then on every method call I check, if provided API Key belongs to an administrator and throw unauthorized exception, if it doesn't, or respond to the call with data if it does.

Example method:

public decimal GetCompanyBalance(string APIKey, int CompanyId)
{
    if(!UserManager.GetByAPIKey(APIKey).IsAdmin){
        throw new UnauthorizedException();
    }

    return Company.GetBalance(CompanyId);
}