How to authenticate web api calls from MVC client

Question

How to authenticate web api calls from MVC client

So I have an ASP.NET MVC application with its own users and cookie usage and authentication. And I am adding a Web Api application to be hosted elsewhere. The MVC app is the only thing that should call the api. I am wondering how to properly authenticate api calls. All authorization checks are done in the MVC application and now the API doesn't care about authorization, just authentication.

My first thought was only that one "application user" who requests the bearer token, pass that along with each request. The web api will authenticate this user and provide a token. Does this sound right? Is there a better way?

And if in the future the web api really cares about authorization, what would be the correct way to make the api calls by the logged in user?

Thank!

+3

authentication asp.net-mvc asp.net-web-api

Evan May 19 '15 at 21:24

source to share

1 answer

Alberto pellizzon · Accepted Answer · 2015-05-19T21:51:16+0000

If applications don't use cookie, the correct way to do this would be using OAuth 2.0, which you will need

OAuth Server in Web Api
OAuth client in your MVC application.

Your users will put username and password in your MVC app (OAuth client) and through that you get the bearer token from the Api webserver (OAuth server), you can use this token for every other session by putting it in the header Authentication

.

This particular OAuth flow is called Password Credentials Flow and can be used when you need to authenticate a user from a trusted application (as your MVC application).

Learn more about OAuth
More on Password Credential Stream

How to authenticate web api calls from MVC client

More articles: