API keys in addition to OAuth OWIN / Web Api

I have an interesting script I'm looking for to get some guidance.

Currently I have implemented OAuth using standard OWIN features with Web API and ASP.NET Identity. The Client Credentials functionality has also been successfully implemented, which allows clients (for example, browsers and iPhones) to access the API for anonymous mode of operation until the RO is logged in.

We now have a scenario where we want to build a javascript (JSONP) widget similar to the Stripe Checkout widget ( https://stripe.com/docs/checkout ). As you will see, this widget can be easily implemented by providing a simple data key attribute as part of the script tag. My guess is that it is generated in the background as a simple API key, but in addition to the list of registered domains from which it can be called. When this key is passed to the API, the api checks it against the domain from which the request was made to ensure that the API can access the necessary resources provided by the key.

My questions are: 1. How can I implement an API key in addition to the OAuth token tokens in the OWIN pipeline? All the documentation I see usually suggests writing a separate delegate handler for looking up keys and so on, but could my OWIN pipeline make it this far because invoking the action itself is not allowed? 2. We also explicitly remove any other non-OAuth authentication in the following lines of code:

   config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));


  1. Is there an easier way to validate clients with only client id (no secrets) for javascript modes, since keeping secrets is nearly impossible in js environments?

  2. Am I missing something obvious, what could I have done to make this process easier?

I guess we've figured out everything in terms of creating a JSONP widget, but this part left me a little confused.

Any help would be much appreciated!

Cheerz, Anup


source to share

1 answer

Since Owin is a pipeline, all authentication requests are made on every request. In your example, a request might appear with an API key in the header: the first authentication middleware might be your oauth / bearer authentication - if there is no matching header, then the id won't be attached to the request by this middleware and the request continues down the pipeline. The next middleware could be some API key authentication middleware (you can find the implementation here: https://github.com/jamesharling/Microsoft.Owin.Security.ApiKey ) which will define your API key header and attach appropriate identification to the request.



All Articles