Best way to secure ASP.NET Web API 2 where multiple client use it
You are on the right track by using Token based authentication. Here is a link which shows the implementation details-
Token based authentication in Web API without any user interface
Additionally, I think you can secure the channel using SSL-
http://www.c-sharpcorner.com/UploadFile/55d2ea/creating-and-using-C-Sharp-web-application-over-https-ssl/
Best practice for securing web API endpoint
When developing a UI client you should always assume that the user can grab tokens from a mobile app or secure cookies from a web app, then replay them against the API. Both of which are just HTTP headers. This is easy for any semi-technical user to do with an HTTP proxy tool.
SCOPES
APIs should validate the JWT access token received on every request. Then use scopes to prevent access to invalid operations. Eg if an access token without a money_write
scope was used to attempt that operation it would fail with a 403 error.
CLAIMS
The main protection is usually always done when the API's logic verifies claims received in the JWT access token. This ensures that the user can never elevate their own privileges. Consider the following example:
sub: hd80423r2f
tenant-id: 123
role: user
subscription-level: silver
If an API receives this, then it would typically apply code to deny access to resources for other users, roles, tenants or subscription levels. In these cases I most commonly return a 404 resource not found for user
response.
HIGH PRIVILEGE OPERATIONS
Operations such as money transfer would usually be accompanied by strong authentication with multiple factors, and short lived access tokens. It is common to also involve user consent, perhaps to a particular payment transaction.
Sometimes you need dynamic authorization behavior in APIs, eg only allow a money transfer if strong authentication was used. In these cases claims are used rather than fixed scopes, and this might result in the following extra claims in the JWT access token:
authentication_strength: high
payment_transaction_id: 123
The API's code could then deny access unless runtime claims such as these were also present.
SUMMARY
You cannot authorize based on use of a mobile app, since APIs cannot distinguish between HTTP requests from mobile apps or sent manually. The main thing to ensure is that if a user grabs a token using tools, they can only access the exact same data that they see in their UI user session.
secure access to external web API .NET CORE
If both APIs are protected by the same accessToken, then you can read the authorization header from the first request and pass it to the second request.
Something like this to read the header:
var authHeader = context.Request.Headers.Get("Authorization");
You should end up with authHeader equal to "Bearer ey...(a bunch of base64)"
Then add the auth header to the client:
var request = new HttpRequestMessage() {
RequestUri = new Uri("http://https://covid19.mathdro.id/api"),
Method = HttpMethod.Get,
};
...
request.Headers.Authorization.Add(new AuthenticationHeaderValue(authHeader));
var task = client.SendAsync(request)
Related Topics
Transparent Control Over Picturebox
What's the Strangest Corner Case You'Ve Seen in C# or .Net
How to Get the Color from a Hexadecimal Color Code Using .Net
What Is the Simplest Method of Inter-Process Communication Between 2 C# Processes
Setting the Default Json Serializer in ASP.NET MVC
How to Replace Multiple Spaces With a Single Space in C#
How to Get the Ip Address of the Server on Which My C# Application Is Running On
How to Update an Observablecollection Via a Worker Thread
Get List of Connected Usb Devices
Why Is Dictionary Preferred Over Hashtable in C#
How to Convert Image to Byte Array
Best Practices For Catching and Re-Throwing .Net Exceptions
When to Use .First and When to Use .Firstordefault With Linq
How to Use Reflection to Invoke a Private Method
Why Do I Get "'Property Cannot Be Assigned" When Sending an Smtp Email