ASP.NET Web Api - Authorise from querystring values and API security
-
14-11-2019 - |
Pergunta
In designing and learning about an ASP.NET Web API I've come across a few challenges I'd like some help and discussion on.
Inspired by this excellent post on designing a Secure REST API without OAuth I'm wondering how best to approach validating the various tokens and information I intend to ask for.
Brief summary is I'll be asking for (in the querystring) the following info..
- user id
- api key
- timestamp
- a signature hash based on a secret key the user has been issued and hashed together with the request values
My question / wondering is this :
If this is a sound approach, what would be the best way to implement this using ASP.NET Web API?
I'm currently thinking about either using a custom attribute that I can mark my methods with, kind of an Authorize attribute that grabs the required from the query string or some POCO type object that contains all the values and I can use to keep all the authorisation type code in one place.
Has anyone got any experience or thoughts on this?
Thanks :)
Solução
Currently, as you might have seen, the AuthorizeAttribute
approach is used in Web API. I think that this is a fairly good approach in that we can put this attribute on individual items that need authorization.
I have done authorization by extending the System.Web.Http.Filters.AuthorizationFilterAttribute
. After you extend it, all authorization details are up to you and you have plenty approaches to choose from.