asp. net web api authentication and authorization - authentication

I am using mvc 4 web api project template. i have USERMASTER table which contains usename and password for different users.
Now i dont know what authentication is for web api????
how to stop invalid users to access it? ?
Let's say i m using fiddler to call web api. at that moment how can i stop invalid user.( i mean using tool like fiddler we can call web api. so i can stop invalid call not made by the valid user)
Moreover, i wish that user A can access only 5 web apis and user B can access all web apis from my project.
Is it possible???
i know how to use web api.
but i dont know about authentication and authorization process.
please help me.
I m using angularjs to call web apis.

Yes all this is possible but you need to use ASP.NET Web API 2 (.NET framework 4.5) you can find detailed source code and blog posts starting here including AngularJS Authentication using Web API, it should makes things clearer for you.

Related

Recommendation needed for cross platform authentication .net core MVC and Xamarin

I need to create an application (Mobile) and a Web application. It needs to use the same database so the same user authentication is required.
Can anyone give me such a demo or an idea where to begin.
I have looked into identity but I see that it is not compatible with Xamarin.
Expected result would be a cross platform login provider
my recommendation is to create one web service that can connect to the db and your mobile app and web app make http get/post calls to the web service. This also means you get to keep db logic in one place instead of duplicated across the applications.
The web app and mobile app should get some kind of authorization token (such as bearer) from the webservice to ensure no ones else is hitting the api.

ASP.Net MVC and WebApi authentication using Identity server

I am new to Identity server and wants to secure my two apps (MVC, Webapi) using it.
I have seen the example where we can invoke the webapi from MVC action method and SetBearerToken that was issued to the the MVC application. I am referring the below sample:
https://identityserver.github.io/Documentation/docsv2/overview/mvcGettingStarted.html
This is typical example of server to server communication where we are using access token issued to the MVC app for Web api.
In the same scenario, I want to call webapi from Javascript client(fro ex Angular or any one) using same access token.
"I want to pass the the access token issued to the MVC application to call WebAPI from JavaScript"
How can I utilize the token that was issued to my MVC application from the JavaScript client?
Thanks
They should be treated as different client in my opinion, I guess they are different site? For your Javascript client you should be able to find example here , you can use the javascript lib that provided in the example or write one yourself
Once you get the token, then you can call your API using AJAX, where you might face CORS problem if your webapi is on a different domain, well...that is different topic.
Hope that helps

Set up principal for ASP.NET CORE with custom OAuth

I'm trying to set up a simple Web API with ASP.NET Core. I'm working with a custom OAuth set up by the company. The Web API will not support web pages directly. The front end will call it from a separate website using a SPA.
So, I thought I would set up a middle ware component that get the Bearer Token from the API call. I then see if I have that user stored (for 5 minutes - stored in a singleton hopefully that is right too) and if not I send an HTTP request to the authentication server to determine if the user is valid. If they are I get the user information including roles, etc. But then, how do I set the Principal? I've done this in WebAPI 2.*, but haven't seen any tutorials for ASP.NET Core.
This seems like a fairly normal workflow so I don't understand why there aren't many tutorials on the subject. They seemed to be all geared toward when you have a web page - same for WebAPI 2.*.
Any help is much appreciated. If someone can just point me in the right direction that would be great!

If Web API can be used just for Authentication using OAuth 2 in ASP.NET MVC4

I'm working on segregating the authentication part of my ASP.net MVC4 application using DotNetOAuth 2.0, Which will means that one project will do only authentication and send out response,based on response it will have access to other application.
The Idea is to get any application or project added later on use one common authentication process.
First thing came to my mind was building a service, in the process a read a lot about Web API and think it can help to achieve what I'm looking for.
Please suggest if you guys have implemented something like this or whats's the best practice.
Should i go with API or service, any link or sample to direct is appreciated
ASP.NET Web API is also a service - a RESTful service. The choice of using a "Service" although is good your underlying authentication platform will define what you should be using.
WCF is much more than a web service where as a Web API is pure HTTP service.
If you expect all your "applications" to be web based then there is no reason why this cannot be a Web API.
This article might be something that should help you decide on your authentication model: http://www.asp.net/web-api/overview/security/external-authentication-services

Forms Authenticated Web APIs and jQuery

I have an issue that I am seriously struggling with.
I have a website, and a separate WebAPI which I want to be able to authenticate against each other. I was thinking that forms authentication would be best here. However, on my website, how do I go about calling the forms authenticated webAPI via a jQuery AJAX call?
Does anyone have any links or suggestions?
There is a discussion in this blog post on mixing forms authentication and basic authentication in Web API. You may be able to leverage some the principles in this article although it was tested with the Web API's residing on the same server as the web application.
If you keep the Web API and web application on separate servers your web application will run into cross domain issues and will have to support JSONP in your Web API. A possible work around for your website is to create a Web API locally on your web server which is just a facade to the Web API on the remote server. You incorporate the standard security methods on the local Web API, using AuthorizeAttribute, which in turn just calls your the Web API on the remote server. You can incorporate whatever security method you want to have for external users on the remote Web API.