API keys in addition to OAuth OWIN / Web Api
I have an interesting script I'm looking for to get some guidance.
Currently I have implemented OAuth using standard OWIN features with Web API and ASP.NET Identity. The Client Credentials functionality has also been successfully implemented, which allows clients (for example, browsers and iPhones) to access the API for anonymous mode of operation until the RO is logged in.
My questions are: 1. How can I implement an API key in addition to the OAuth token tokens in the OWIN pipeline? All the documentation I see usually suggests writing a separate delegate handler for looking up keys and so on, but could my OWIN pipeline make it this far because invoking the action itself is not allowed? 2. We also explicitly remove any other non-OAuth authentication in the following lines of code:
config.SuppressDefaultHostAuthentication(); config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
Am I missing something obvious, what could I have done to make this process easier?
I guess we've figured out everything in terms of creating a JSONP widget, but this part left me a little confused.
Any help would be much appreciated!
source to share
Since Owin is a pipeline, all authentication requests are made on every request. In your example, a request might appear with an API key in the header: the first authentication middleware might be your oauth / bearer authentication - if there is no matching header, then the id won't be attached to the request by this middleware and the request continues down the pipeline. The next middleware could be some API key authentication middleware (you can find the implementation here: https://github.com/jamesharling/Microsoft.Owin.Security.ApiKey ) which will define your API key header and attach appropriate identification to the request.
source to share