Security using JWT (Json Web Tokens) in AngularJS w/WebAPI C#

ikoonman

Hi

I am working on an public-facing website that requires users to log in for access. The UI interacts with the RESTful WebApi using Angular. To implement security, I utilize JWT (orginiating from the WebAPI) and the bearer token is authenticated with each API call via a DelegatingHandler and each Controller method is decorated with the [Authorize] attribute - all done over HTTPS.

So my 2 questions would be
1. Would this implementation be sufficient as security measures preventing unauthorized service calls (and XSS attacks) to the WebAPI? I see a number of articles talking about OAuth2, but suggesting that the latter is a different implementation of what I am already doing.
2. I need to expose a web service that can be called from a 3rd party (that does not necessarily need to have a login to gain access to the site - they would only push data in), and I am struggling to figure out how to go about. Naturally there would need to be some basic authentication so that not every Joe Soap can abuse the web service, so would it be something similar to JWT where the 3rd party would send credentials to the WebApi, get authenticated, returns a bearer token which is then used in the subsequent calls to my REST service? The frequency of calls vary as this would typically be used by some sort of automated service residing with the 3rd party. Is this the best/simplest approach, or is there a better way?

Any advice appreciated

John_Mc

ikoonman wrote: »

Hi

I am working on an public-facing website that requires users to log in for access. The UI interacts with the RESTful WebApi using Angular. To implement security, I utilize JWT (orginiating from the WebAPI) and the bearer token is authenticated with each API call via a DelegatingHandler and each Controller method is decorated with the [Authorize] attribute - all done over HTTPS.

So my 2 questions would be
1. Would this implementation be sufficient as security measures preventing unauthorized service calls (and XSS attacks) to the WebAPI? I see a number of articles talking about OAuth2, but suggesting that the latter is a different implementation of what I am already doing.
2. I need to expose a web service that can be called from a 3rd party (that does not necessarily need to have a login to gain access to the site - they would only push data in), and I am struggling to figure out how to go about. Naturally there would need to be some basic authentication so that not every Joe Soap can abuse the web service, so would it be something similar to JWT where the 3rd party would send credentials to the WebApi, get authenticated, returns a bearer token which is then used in the subsequent calls to my REST service? The frequency of calls vary as this would typically be used by some sort of automated service residing with the 3rd party. Is this the best/simplest approach, or is there a better way?

Any advice appreciated

Bearer Tokens work in much the same way as Cookies in that they are resolved to a user who is (usually) a member of one or more roles. You can protect controller actions in the same way as normal MVC. The only difference is that you need to manually add the bearer token to the request header whereas the cookie is automatically submitted.

In short I'm pretty sure this is a valid and secure authentication & authorisation technique.

As for XSS, it seems you can use the Antiforgery token that is baked in to MVC with Web Api 2.