Securing Web API /Token Endpoint

StackOverflow https://stackoverflow.com/questions/23614974

Question

I have a Web API project that follows the basic account authentication process outlined here: http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api. My question is should I secure the /Token enpoint with SSL (or something else)? Otherwise, the API call to "myURL/Token" is just sent via clear text with the username and password in its body?

I read up this post on Web API SSL: http://www.asp.net/web-api/overview/security/working-with-ssl-in-web-api but I don't know where I should place the [RequireHttps] attribute since the /Token enpoint is not really a controller action.

Thanks for any guidance you can provide!

Was it helpful?

Solution

Yes you should make the Token endpoint as Secure.

In the Setup.Auth.cs file under the OAuthurizationServerOptions you can specify to be Token end point requires SSL or not.

OAuthOptions = new OAuthAuthorizationServerOptions
  {
    TokenEndpointPath = new PathString("/Token"),
    Provider = new ApplicationOAuthProvider(PublicClientId),
    AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
    AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(20),
    AllowInsecureHttp = false
  };

The AllowInsecureHttp will force the url to be SSL or not.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top