I have a Web API project that follows the basic account authentication process outlined here: http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api. My question is should I secure the /Token enpoint with SSL (or something else)? Otherwise, the API call to "myURL/Token" is just sent via clear text with the username and password in its body?
I read up this post on Web API SSL: http://www.asp.net/web-api/overview/security/working-with-ssl-in-web-api but I don't know where I should place the [RequireHttps] attribute since the /Token endpoint is not really a controller action.
Yes you should make the Token endpoint as Secure.
In the Setup.Auth.cs file under the OAuthurizationServerOptions you can specify to be Token end point requires SSL or not.
OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),
Provider = new ApplicationOAuthProvider(PublicClientId),
AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(20),
AllowInsecureHttp = false
};
The AllowInsecureHttp will force the url to be SSL or not.