none
ASP.NET web API 2 authentication/authorization advice RRS feed

  • Question

  • I need your advice and experience. Here is my scenario.

    • There is a Rest web API provider. (Let's call it A)
    • There are clients which are going to use 2 methods of provider A.
    • I am implementing a proxy Rest ASP.NET web API 2 in between provider A and the clients.
    • There is already token based authentication at provider A.
    • There is an initiation method of provider A which I am sending a signature consist of a secret key given to me with some other information, MD5 hashed.
    • I think this signature is validated in the provider A and return a Token if it is valid. (20 mins expiration time)
    • And with this Token, I am calling the second method of the provider and finish my process.

    Now my questions are;

    • Should I still need to have an authentication/authorization mechanism for my proxy? and why?
    • Can I change TokenEndpointPath? (AspNetWebAPIOAuth.OAuth.Startup) Actually, I don't want the client to make additional service call. Can I set the path for an existing controller action?

    Here is my controller action from where I would like to return Token. I want to set the Token into Initiate object.

    [HttpPost, Route("initiation")]
        public async Task<IHttpActionResult> PostInitiate(InitiateRequest initiate)
        {
            if (!ModelState.IsValid)
            {
                return BadRequest(ModelState);
            }
    
            context.InitiatesRequests.Add(initiate);
            await context.SaveChangesAsync();
    
            HttpClient httpClient = new HttpClient();
    
    
            HttpContent content = new StringContent(
                JsonConvert.SerializeObject(initiate),
                Encoding.UTF8,
                "application/json"
            );
    
    
            HttpResponseMessage response =
                await httpClient.PostAsync("https://test.com/purchaseinitiation", content);
    
            string htmlResponse = await response.Content.ReadAsStringAsync();
    
            return Ok(htmlResponse);
        }


    Can I return the generated Token in my existed controller method as I mentioned in my sample code? Is it possible?

    Here is my custom Token Endpoint path which is my existing controller action below.

    OAuthOptions = new OAuthAuthorizationServerOptions{
    TokenEndpointPath = new PathString("/api/v2/pin/initiation"),
    Provider = new ApplicationOAuthProvider(PublicClientId),
    AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
    AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
    AllowInsecureHttp = true};

    Here is my controller where I would like to return Token inside of initiate.

    [RoutePrefix("api/v2/pin")]
    public class InitiatesController : ApiController
    {
        private EPINMiddleWareAPIContext context;
    
        public InitiatesController(EPINMiddleWareAPIContext context)
        {
            this.context = context;
        }
    
    
        // POST: api/Game
        [HttpPost, Route("initiation")]
        public async Task<IHttpActionResult> PostInitiate(InitiateRequest initiate)
        {
            if (!ModelState.IsValid)
            {
                return BadRequest(ModelState);
            }
    ...

    Note: Provider A (host), clients, and my proxy web API will communicate based on SSL.

    Friday, March 1, 2019 8:39 AM

All replies