Web API - Token

Asked

Viewed 1,139 times

2

A MVC application accesses WEB API services.

To access the WEB API it is necessary to inform a "token".

In the WEB API application there is a button that generates the token.

How to make the WEB API accept only the token generated through the MVC application without using a database?

I made the MVC generate the token (a GUID + data) and pass this token to the WEB API that validates whether the date is within a 30s period. If you are within the period consider that the token is valid.

byte[] data = Convert.FromBase64String(token);
DateTime when = DateTime.FromBinary(BitConverter.ToInt64(data, 0));

if (when < DateTime.UtcNow.AddSeconds(-30))
{
    return false;
}

This works, however, any GUID that is informed concatenated from a date will be valid. I need to let my WEB API know exactly which token was generated by the MVC application.

  • Hello Alberto, try to explain better what you need.

  • 1

    You can replace the GUID with a key that only the MVC project knows about. But I don’t understand why there is a button to generate the token if only another project can know the token.

  • Thanks for your help. I’ve been doing some research and I believe what I need is an OTP. That is, the MVC generates a token and the other project knows which token was generated.

  • Have you thought about using the OAuth who already does all this for you? Take a look here: http://www.leonardohofling.com/blog/web-api-addindo-authentificatcao-oauth/

  • I recommend you use JWT / Oauth. https://github.com/IdentityServer/IdentityServer3 If you want to use Azure AD for this, I’ve recorded a video that might help you: https://www.youtube.com/watch?v=PSkY1PbkrfA&list=PL3tw-QzEqu8QS8lopRA_KpTs5DJvFm1ks

1 answer

3

There are several solutions to your problem...

  1. When you generate the token in the MVC application, send it to the Webapi (Through a restricted endpoint, which only you have access to), when you receive the token, your API will store it in memory in a static list/dictionary. The problem is that you cannot kill the process or restart the server where the Webapi is and when the Pool (if using IIS) restarts, all data will be "lost". (In this case, it would be even easier for you to create a direct token in the Webapi and create a restricted endpoint that only MVC accesses to obtain the token, each token generates a new token and deletes invalid ones from the memory [Collection/list/Dictionary/hashset])
  2. Add a SALT (a predefined, application-only random string) to your token, encode it with SHA1 or another encryption algorithm (in this case, you don’t even need the GUID...)
  3. An unsafe, yet effective solution to your problem would be a SALT + GUID + data, all of which is encoded in Base64, but as I said, this is not at all safe, and anyone with intermediate knowledge, that viewing the token will realize that it is a Base64 string and can pass it on a Base64 decoder and see the original pattern without further complications...
  4. Deploy Oauth or JWT (but I have the impression that for this you will need a database).

Why can’t you use a database? Not even one in the QTL is authorized ? Why not do it using Redis ?

Browser other questions tagged

You are not signed in. Login or sign up in order to post.