ASP.NET web API 2 authentication/authorization advice RRS feed

  • Question

  • I need your advice and experience. Here is my scenario.

    • There is a Rest web API provider. (Let's call it A)
    • There are clients which are going to use 2 methods of provider A.
    • I am implementing a proxy Rest ASP.NET web API 2 in between provider A and the clients.
    • There is already token based authentication at provider A.
    • There is an initiation method of provider A which I am sending a signature consist of a secret key given to me with some other information, MD5 hashed.
    • I think this signature is validated in the provider A and return a Token if it is valid. (20 mins expiration time)
    • And with this Token, I am calling the second method of the provider and finish my process.

    Now my questions are;

    • Should I still need to have an authentication/authorization mechanism for my proxy? and why?
    • Can I change TokenEndpointPath? (AspNetWebAPIOAuth.OAuth.Startup) Actually, I don't want the client to make additional service call. Can I set the path for an existing controller action?

    Here is my controller action from where I would like to return Token. I want to set the Token into Initiate object.

    [HttpPost, Route("initiation")]
        public async Task<IHttpActionResult> PostInitiate(InitiateRequest initiate)
            if (!ModelState.IsValid)
                return BadRequest(ModelState);
            await context.SaveChangesAsync();
            HttpClient httpClient = new HttpClient();
            HttpContent content = new StringContent(
            HttpResponseMessage response =
                await httpClient.PostAsync("", content);
            string htmlResponse = await response.Content.ReadAsStringAsync();
            return Ok(htmlResponse);

    Can I return the generated Token in my existed controller method as I mentioned in my sample code? Is it possible?

    Here is my custom Token Endpoint path which is my existing controller action below.

    OAuthOptions = new OAuthAuthorizationServerOptions{
    TokenEndpointPath = new PathString("/api/v2/pin/initiation"),
    Provider = new ApplicationOAuthProvider(PublicClientId),
    AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
    AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
    AllowInsecureHttp = true};

    Here is my controller where I would like to return Token inside of initiate.

    public class InitiatesController : ApiController
        private EPINMiddleWareAPIContext context;
        public InitiatesController(EPINMiddleWareAPIContext context)
            this.context = context;
        // POST: api/Game
        [HttpPost, Route("initiation")]
        public async Task<IHttpActionResult> PostInitiate(InitiateRequest initiate)
            if (!ModelState.IsValid)
                return BadRequest(ModelState);

    Note: Provider A (host), clients, and my proxy web API will communicate based on SSL.

    Friday, March 1, 2019 8:39 AM

All replies