Best way to secure ASP.NET Web API 2 where multiple client use it

c# asp.net-mvc api token hmac

Kaizer · Jan 13, 2017 · Viewed 15.2k times · Source

What is the best way to secure a Web API when you have multiple different clients to use? Each client should have its own API key to connect with. Now I have read different things but I still have some questions.

I have found this one: http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/#comments but is it sufficient?

So basically:

client connects with given username/password
client gets a bearer token back
client uses this token in each post to the api until the timestamp is over

I also have read about giving a API Secret key to each client which he can uses: http://bitoftech.net/2014/12/15/secure-asp-net-web-api-using-api-key-authentication-hmac-authentication/

What is the best approach?

Answer

You are on the right track by using Token based authentication. Here is a link which shows the implementation details-

Token based authentication in Web API without any user interface

Additionally, I think you can secure the channel using SSL-

http://www.c-sharpcorner.com/UploadFile/55d2ea/creating-and-using-C-Sharp-web-application-over-https-ssl/

Best way to secure ASP.NET Web API 2 where multiple client use it

Answer

Related questions