web api authenticationtopjankari.com

web api authentication

web api authentication.

save water save tree !

You've created a web API, but now you wish to ascendancy admission to it. In this alternation of articles, we'll attending at some options for accepting a web API from crooked users. This alternation will awning both affidavit and authorization.


Affidavit is alive the character of the user. For example, Alice logs in with her username and password, and the server uses the countersign to accredit Alice.


Approval is chief whether a user is accustomed to accomplish an action. For example, Alice has permission to get a ability but not actualize a resource.


Authentication is acclimated to assure our applications and websites from crooked admission and also, it restricts the user from accessing the advice from accoutrement like postman and fiddler. In this article, we will altercate basal authentication, how to alarm the API adjustment appliance postman, and absorb the API appliance jQuery Ajax.

To admission the web API method, we accept to canyon the user accreditation in the appeal header. If we do not canyon the user accreditation in the appeal header, again the server allotment 401 (unauthorized) cachet cipher advertence the server supports Basal Authentication.

The aboriginal commodity in the alternation gives a accepted overview of affidavit and approval in ASP.NET Web API. Other capacity call accepted affidavit scenarios for Web API.


Web API assumes that affidavit happens in the host. For web-hosting, the host is IIS, which uses HTTP modules for authentication. You can configure your activity to use any of the affidavit modules congenital in to IIS or ASP.NET, or address your own HTTP bore to accomplish custom authentication.

When the host authenticates the user, it creates a principal, which is an IPrincipal article that represents the aegis ambience beneath which cipher is running. The host attaches the arch to the accepted cilia by ambience Thread.CurrentPrincipal. The arch contains an associated Character article that contains advice about the user. If the user is authenticated, the Identity.IsAuthenticated acreage allotment true. For bearding requests, IsAuthenticated allotment false. For added advice about principals, see Role-Based Security.

HTTP Bulletin Handlers for Authentication

Instead of appliance the host for authentication, you can put affidavit argumentation into an HTTP bulletin handler. In that case, the bulletin abettor examines the HTTP appeal and sets the principal.

When should you use bulletin handlers for authentication? Here are some tradeoffs:

An HTTP bore sees all requests that go through the ASP.NET pipeline. A bulletin abettor alone sees requests that are baffled to Web API.

You can set per-route bulletin handlers, which lets you administer an affidavit arrangement to a specific route.

HTTP modules are specific to IIS. Bulletin handlers are host-agnostic, so they can be acclimated with both web-hosting and self-hosting.

HTTP modules participate in IIS logging, auditing, and so on.

HTTP modules run beforehand in the pipeline. If you handle affidavit in a bulletin handler, the arch does not get set until the abettor runs. Moreover, the arch reverts aback to the antecedent arch if the acknowledgment leaves the bulletin handler.

Generally, if you don't charge to abutment self-hosting, an HTTP bore is a bigger option. If you charge to abutment self-hosting, accede a bulletin handler.

Setting the Principal

If your appliance performs any custom affidavit logic, you have to set the arch on two places:

Thread.CurrentPrincipal. This acreage is the accepted way to set the thread's arch in .NET.

HttpContext.Current.User. This acreage is specific to ASP.NET.



Authorization happens after in the pipeline, afterpiece to the controller. That lets you accomplish added diminutive choices if you admission admission to resources.

Approval filters run afore the ambassador action. If the appeal is not authorized, the clarify allotment an absurdity response, and the activity is not invoked.

Within a ambassador action, you can get the accepted arch from the ApiController.User property. For example, you ability clarify a account of assets based on the user name, abiding alone those assets that accord to that user.

Using the [Authorize] Attribute

Web API provides a congenital approval filter, AuthorizeAttribute. This clarify checks whether the user is authenticated. If not, it allotment HTTP cachet cipher 401 (Unauthorized), after invoking the action.

Custom Approval Filters

To address a custom approval filter, acquire from one of these types:

AuthorizeAttribute. Extend this chic to accomplish approval argumentation based on the accepted user and the user's roles.

AuthorizationFilterAttribute. Extend this chic to accomplish ancillary approval argumentation that is not necessarily based on the accepted user or role.

IAuthorizationFilter. Implement this interface to accomplish asynchronous approval logic; for example, if your approval argumentation makes asynchronous I/O or arrangement calls. (If your approval argumentation is CPU-bound, it is simpler to acquire from AuthorizationFilterAttribute, because again you don't charge to address an asynchronous method.)

Authorization Inside a Ambassador Action

In some cases, you ability acquiesce a appeal to proceed, but change the behavior based on the principal. For example, the advice that you acknowledgment ability change depending on the user's role. Within a ambassador method, you can get the accepted arch from the