Search code examples
.netwcfasp.net-web-apirestful-architecture

How does WebApi Authentication works for all clients?

It is quite subjective question and I searched various places but I want to know the real world example of how does WebApi Authentication works

I am using an AngularJS application in front end and Now, I have to connect to WebAPI but there are various client So, What are the ways clients will be authenticated in WEBAPI

Solution

  • You would configure an application to act as a token issuer, responsible for creating JWT tokens that are allowed for particular clients.

    A .Net example of this is Identity Server (https://github.com/IdentityServer/IdentityServer3). It has a number of examples that show you how this works with different client types (https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Clients)

    You define clients in Identity Server that are represented by a client id, an authorization type and a 'redirect url'. Identity Server acts as a single sign on, so when your application needs to access an API you would redirect to Identity Server using OpenID connect. Upon successful sign in, Identity Server would redirect back to the 'redirect url' you registered for the client id, sending an access_token back to the client on the hash fragment

    A library exists to help with this in single page applications, OIDC-client. Once you have the access token, you can send it on to your web api using an Authorization header.

    Authorization: bearer {the-jwt-token}

    The API would be secured using JWT Bearer authentication, using one of the available nuget packages to achieve this. The API is responsible for ensuring that the JWT token sent to it is signed by the expected token issuer, is for the relevant audience and was issued by the correct authority.

    If JWT validation passes, then authentication has succeeded and you can then make authorization decisions based on the claims present in the token.

    That's the basic concepts - acquire a token from an issuer, send in on HTTP requests using the Authorization header, lock down your API using JWT authentication.

    You can either run your own token issuer, such as Identity Server, or use something like Azure AAD to provide this functionality for you. It's pretty simple to get something up and running using AAD.