c# - Authenticate a site/app to access a Web API Service

Question

Brief question: I've a Web API Service in .NET, and a Site made only with HTML and AngularJS.

How can authorize to my service ONLY my web?

---

I'm looking for a secure answer to a problem that seems to be common but is not. I read a lot of answers, ideas and every kind of things in the late days, but I couldn't find the solution.

Let's suppose I've a Web Api Service (the lastest one) from MS. So I have to application that need consumes it. Let's define two scenarios.

Scenario 1:

In the same IIS, I've an ASP.NET MVC 3/4 with the particularity that all MVC work is on the client side, made by AngularJS, so the App points directly from JavaScript to the Web Api Service.

Scenario 2:

I've a third party application that points directly to the Web Api Service, and is locate in other network/site/anything but related.

So, my question is:

How can authenticate both systems, in order to the Web Api Service gives access to both system (I don't care if is the same way or not), and not give access for example to a guy with a REST client, and logged to the site with user/pass authorization? I hope these both examples gave the idea of the point what I'm interested.

Please comment below anything you need to improve this question in a better way!

By the way, no, obfuscation can not be used. I thought in something like a refreshing token but I can't figure it.

Answer 1

How I would set up authentication with your Scenario 1:

I will force the static files to go through the server in order to ensure authentication

Web.config

<compilation>
    <buildProviders>
        <add extension=".html" type="System.Web.Compilation.PageBuildProvider" />
        <add extension=".htm" type="System.Web.Compilation.PageBuildProvider" />
    </buildProviders>
</compilation>

<system.webServer>
     <handlers>
         <add name="HTML" path="*.html" verb="GET, HEAD, POST, DEBUG"   type="System.Web.UI.PageHandlerFactory" resourceType="Unspecified" requireAccess="Script" />
         <add name="HTM" path="*.htm" verb="GET, HEAD, POST, DEBUG" type="System.Web.UI.PageHandlerFactory" resourceType="Unspecified" requireAccess="Script" />
     </handlers>
</system.webServer>

This will allow me to set up <authentication> and <authorization> in my web.config like:

<authorization>
  <allow roles="demo" />
</authorization>

or

 <authorization>
   <deny users="?" />
 </authorization>

Additionally I will set up my login page:

<authentication mode="Forms">
      <forms  path="/" loginUrl="~/login"..

For Scenario 2:

Probably you will need to enable CORS, if it is the case you will need to:

Set the config option config.EnableCors(); in your Register method; you will also need to enable CORS in your ApiController by using [EnableCors] attribute along with the declaration of the controller, here is an example how I do it:

 [EnableCors(origins: "http://localhost:49595", headers: "*", methods: "*")]
 public class ValuesController : ApiController
 {
 ...

Finally to secure the WebApi we will need to use an attribute [Authorize] in the controllers and most likely you will need to define your custom authentication method to authorize your second callers. You could follow these steps:

• How to set up WebApi Custom Authorization