I'm having hard time in deciding an approach while implementing Authentication/Authorization scenario for my Web API (Service) - MVC (client) architecture project. Even though i have implemented Custom token based authentication in Web API project, I'm finding it hard where exactly i should implement the authorization (In Client or in API itself).
Architecture Overview :
Already implemented authentication :
Token based authentication in Web API (using Message Handler) - Which generates SHA1 encripted token for authenticated user which needs to be a part of every http request header for authentication.
(Token = User Name + User IP)
SSL protected HTTP request. (Again, Using Message Handler)
Current problems :
I hope, I'm not doing things wrong while taking the whole authentication/authorization concept in to consideration. Thus, I'll appreciate any alternate approach/suggestion.
First of all I think it's never a good idea to invent your own authentication mechanism.
To answer your current problems:
1 Generally spoken you always want to secure your Api using authentication since it's the place where you access your data. Your client (MVC App/Smartphone) should authorize itself to get access to your Api.
2 & 3 Since you are using a REST Api I would suggest to keep your Api stateless, with other words, don't keep any session information. Just include the role data you need in your Token. You could use for example an JSON Web Token.
4 I would always use the authorization header to send authorization data. In your DelegatingHandler (Note the difference MessageHandler MVC, DelegatingHander HTTP) you can simpy retrieve the header.
protected override Task<HttpResponseMessage> SendAsync(
HttpRequestMessage request, CancellationToken cancellationToken)
{
var authorizationHeader = request.Headers.Authorization;
// Your authorization logic.
return base.SendAsync(request, cancellationToken);
}
For more info on how to include the authorization header in an ajax call please see: How to use Basic Auth with jQuery and AJAX?
Extra info:
If I were you I would also take a look at Thinktecture's Identity Server: https://github.com/thinktecture/Thinktecture.IdentityServer.v2
And maybe this answer about REST Service Authentication will help you as well: REST service authentication