3

So I have an ASP.NET MVC application with its own users and using cookies and claim authentication. And I'm adding a Web Api application that will be hosted elsewhere. The MVC app is the only thing that should be calling the api. I'm wondering what is the proper way to authenticate the calls to the api. All the authorization checks are done in the MVC app, and for now the API doesn't care about authorization, just authentication.

My first thought was just have one "application user" that will request a bearer token then pass that along with each request. The web api will authenticate this user and give the token. Does that sound correct? Is there a better way?

And if, in the future, the web api does care about authorization, what would be the proper way to make the api calls as the logged in user?

Thanks!

Improve this question

1 Answer 1

Reset to default
5

If the applications don't share the cookie a proper way of doing this would be using the OAuth 2.0 protocol you will need

  1. OAuth server in Web Api
  2. OAuth client in your MVC app.

Your users will put username and password in your MVC app(OAuth client) and through that you will get a bearer token from the Web Api(OAuth server), you can use that token for every other session requests by putting it in the Authentication header.

This particular OAuth flow is called Password Credentials Flow and can be used when you need to authenticate a user from within a trusted application(as your MVC app).

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

So get the bearer token right when they would normally log in, since the MVC app would have the password at that point, correct? And if so, would it be appropriate to store that user's token as a claim?
Yes, when the user login your OAuth client will perform an http request with the user username/password and will get a bearer as a response from the OAuth server. It is good practice to set the expiration time for these tokens, for Password Credential Flow usually i set it = 2 hours, you can store that token in your cookies.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.