Asp.Net Web Api: Protecting with a token?

Question

I would like to protect a asp.net web api service with a token. Now I know you would normally implement a STS server but I don't want to do that so what is my other options.

I was thinking about leaving a controller Unprotected where clients can call into passing in a username and password and that would return a token, this token then would be used AND NEEDED to call other controllers on the service which would be protected.

So this brings up some questions, using a DelegatingHandler vs AuthorizeAttribute. The above option would have to be an authorizeAttribute because I need to leave a controller unprotected for clients to call in an authenticate. I don't see how I would use a delegatinghandler which would technically protect the complete service rather than leaving 1 controller unprotected.

The other option I see is providing another service to allow clients to authenticate and get a token and then I could lock down my second service using a delegatinghandler.

Lets imagine that I went down the STS routing, I would still need to provide some way a client could contact an "OPEN" service / controller which in turn would call the STS for obtaining the token.

So considering this, is another service my best option?

Answer 1

I implemented a similar scenario in the past using Hawk (https://github.com/hueniverse/hawk). I have an implementation in GitHub for Hawk in .NET that integrates with Web API using Message Handlers.

https://github.com/pcibraro/hawknet

In the way I implemented in a project. The client application first makes a call to the web api using basic authentication with the real username/password (using https). The web api authenticates the user and a set of hawk credentials are returned to the client (it would be equivalent to a token). The rest of the calls are secured with hawk using the negotiated hawk credentials. This is very simple and it does not involve any STS.