Best authentication way for .NET Web API + Static HTML + JS

Question

I'm developing a web application consuming a REST .NET Web API. My web API is stateless and I'm using static HTML and JQuery requests.

Question.... What's the best way to do the login/password autentication?

Application flow:

1. API XHR request
2. API response with status 401
3. JS redirect to login page
4. API Authentication XHR request (with login and password)
5. API response with a token
6. New API XHR request (with token)
7. API response with data

Answer 1

I believe the answer here is it depends; and it really depends on how sensitive the information behind you API is.

If we are talking about very sensitive data, I would implement the model Amazon uses

For most of the sites, what you are describing is just fine. I would use https for extra security. You can transmit your encrypted token in a cookie or as a custom header.

In your API controllers you can use the [Authorize] attribute to restrict access to those endpoints requiring authentication.

You can expose a delegating handler that process all the requests and responds with a 401 if the token is not valid, or set the current principal so the Authorize attribute can be satisfied.

Please let me know if you need any code samples, I have done this before.