locked
Secure an Internal Web API RRS feed

  • Question

  • User2031626020 posted

    I currently have a .NET Core Web API that lives behind my company firewall. The client is a .NET Core web app that uses windows integrated security. My users are authenticated as they hit the site. Data is retrieved client side via REST calls to the web API. The API needs to know which user is making the request, and must be secured. What is a simple and solid way to do this? It seems that Identity Server and OAuth2 is a bit overkill. Thanks in advance!

    Wednesday, July 8, 2020 1:51 PM

All replies

  • User-474980206 posted

    for the best security, the web api should authenticate its callers. the web app should authenticate with a service account or https certificate. once the caller is trusted, you can pass the user id as a header or payload parameter. you might want to use  jwt token if you need to pass roles.

     

    Wednesday, July 8, 2020 4:29 PM