locked
Front end authentication credentials for web api RRS feed

  • Question

  • User-1234201356 posted

    I'm not sure if this is the correct group for this question for not.

    I have a web api which requires credentials for most methods. Our app authenticates and receives a token which is used for subsequent calls. Our website needs to make most of the same web api calls but does not require a user to login. However, the web api calls do require authentication.

    What is the best was to handle this without hard coding the web api credentials in our websites front end?

    Tuesday, December 13, 2016 4:51 PM

All replies

  • User-691209617 posted

    Save the token in localstorage on browser and then reuse it for every call and when it expires get the new one from the server

    Tuesday, December 13, 2016 5:08 PM
  • User-1234201356 posted

    The issue is getting the token to begin with. The user isn't required to login. The website has to log in.

    Tuesday, December 13, 2016 6:13 PM
  • User-691209617 posted

    you can get token by making an call to yoursite http://yoursite/token along with username and password  for more detail about token authentication check this link 

    as mentioned in the link about ajax call

    $.ajax({
        type: 'POST',
        url: '/Token',
        data: loginData
    }).done(function (data) {
        self.user(data.userName);
        // Cache the access token in session storage.
        sessionStorage.setItem(tokenKey, data.access_token);
    }).fail(showError);

    Tuesday, December 13, 2016 7:55 PM
  • User-1234201356 posted

    I understand how to get a token. The issue is the user name and password. As I mentioned, the user doesn't login. The website itself has to login some how. 

    I think I can do this during the initial request and send a token in the session and then use that token. I would need to make sure that the originally requesting client is the same using the token.

    Tuesday, December 13, 2016 8:17 PM
  • User-10486210 posted

    Hi jbonavita

    If I understand your problem correctly, you have 3 applications :
    1) An OAuth server that you can request for tokens
    2) An API with protected resources
    3) A website that need the API projected resources by using a token from the OAuth server

    In the above topology no user is involved in the process, there is no username & password, however there is instead a ClientId (identifying your website) and a ClientSecret.

    If I understand you correctly, the ClientCredentials flow may be appropriate. You can setup a fast test of ClientCredentials for the above topology by refering to IdentityServer4 "Protecting an API using ClientCredentials" here : https://identityserver4.readthedocs.io/en/release/quickstarts/1_client_credentials.html

    Wednesday, December 14, 2016 2:09 AM
  • User-1234201356 posted

    I'll take a look at it and get back to this thread. It sounds like it's what I need.

    Wednesday, December 14, 2016 3:07 AM
  • User-846834550 posted

    for this issue, see External Authentication Services with ASP.NET Web API (C#) https://www.asp.net/web-api/overview/security/external-authentication-services

    Friday, December 30, 2016 9:42 AM