Securing Web API /Token Endpoint

https://stackoverflow.com/questions/23614974

20-07-2023
|

Question

I have a Web API project that follows the basic account authentication process outlined here: http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api. My question is should I secure the /Token enpoint with SSL (or something else)? Otherwise, the API call to "myURL/Token" is just sent via clear text with the username and password in its body?

I read up this post on Web API SSL: http://www.asp.net/web-api/overview/security/working-with-ssl-in-web-api but I don't know where I should place the [RequireHttps] attribute since the /Token enpoint is not really a controller action.

Thanks for any guidance you can provide!

La solution

Yes you should make the Token endpoint as Secure.

In the Setup.Auth.cs file under the OAuthurizationServerOptions you can specify to be Token end point requires SSL or not.

OAuthOptions = new OAuthAuthorizationServerOptions
  {
    TokenEndpointPath = new PathString("/Token"),
    Provider = new ApplicationOAuthProvider(PublicClientId),
    AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
    AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(20),
    AllowInsecureHttp = false
  };

The AllowInsecureHttp will force the url to be SSL or not.

Licencié sous: CC-BY-SA avec attribution

Non affilié à StackOverflow