2
A MVC application accesses WEB API services.
To access the WEB API it is necessary to inform a "token".
In the WEB API application there is a button that generates the token.
How to make the WEB API accept only the token generated through the MVC application without using a database?
I made the MVC generate the token (a GUID + data) and pass this token to the WEB API that validates whether the date is within a 30s period. If you are within the period consider that the token is valid.
byte[] data = Convert.FromBase64String(token);
DateTime when = DateTime.FromBinary(BitConverter.ToInt64(data, 0));
if (when < DateTime.UtcNow.AddSeconds(-30))
{
return false;
}
This works, however, any GUID that is informed concatenated from a date will be valid. I need to let my WEB API know exactly which token was generated by the MVC application.
Hello Alberto, try to explain better what you need.
– Gabriel Brito
You can replace the GUID with a key that only the MVC project knows about. But I don’t understand why there is a button to generate the token if only another project can know the token.
– Thiago Silva
Thanks for your help. I’ve been doing some research and I believe what I need is an OTP. That is, the MVC generates a token and the other project knows which token was generated.
– Guilherme Ferreira
Have you thought about using the
OAuth
who already does all this for you? Take a look here: http://www.leonardohofling.com/blog/web-api-addindo-authentificatcao-oauth/– Ricardo Pontual
I recommend you use JWT / Oauth. https://github.com/IdentityServer/IdentityServer3 If you want to use Azure AD for this, I’ve recorded a video that might help you: https://www.youtube.com/watch?v=PSkY1PbkrfA&list=PL3tw-QzEqu8QS8lopRA_KpTs5DJvFm1ks
– Thiago Custodio