Simple authentication on WebAPI


  • Winner of the 2016 Presidential Election

    I kind of suspect this is a really simple question that I'm just not finding the right search terms for, but here's the situation:

    I have an ASP.Net MVC project that's basically a single controller, with POST and DELETE actions. It's intended as an API for other internal systems to call, and so needs to be authenticated against any old person firing off a POST. What I want is one or two usernames/passwords (I might be splitting what's allowed per account), that the other system can send with the request to ensure they're authenticated. I've found some guides that involve including Entity Framework Identity, OWIN and other pretty heavyweight stuff. Is that the best way to do it for this use case or is there a simpler way to do it?


  • sockdevs

    @Jaloopa Take a look at subclassing AuthorizeAttribute and overriding OnAuthorization. Given you'll only have a couple of username/password combos, you can probably roll your own in about a dozen lines or so, and avoid pulling in OWIN or EF or anything else.

    Just make sure you get the correct AuthorizeAttribute: there's one for MVC (System.Web.Mvc) and one for Web API (System.Web.Http).


  • Discourse touched me in a no-no place

    @RaceProUK said in Simple authentication on WebAPI:

    Just make sure you get the correct AuthorizeAttribute: there's one for MVC (System.Web.Mvc) and one for Web API (System.Web.Http).

    Past experience suggests that whenever you've got such confusion possible, you need to test that users who authorised can do what they should, known users who are not authorised are told no, and unauthenticated users are also denied. It sounds simple and obvious, but I've seen cock-ups in this area too often for me to trust anything other than an actual test that proves all of these things.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.