Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Security using JWT (Json Web Tokens) in AngularJS w/WebAPI C#

  • 24-06-2015 11:55am
    #1
    Registered Users, Registered Users 2 Posts: 250 ✭✭


    Hi

    I am working on an public-facing website that requires users to log in for access. The UI interacts with the RESTful WebApi using Angular. To implement security, I utilize JWT (orginiating from the WebAPI) and the bearer token is authenticated with each API call via a DelegatingHandler and each Controller method is decorated with the [Authorize] attribute - all done over HTTPS.

    So my 2 questions would be
    1. Would this implementation be sufficient as security measures preventing unauthorized service calls (and XSS attacks) to the WebAPI? I see a number of articles talking about OAuth2, but suggesting that the latter is a different implementation of what I am already doing.
    2. I need to expose a web service that can be called from a 3rd party (that does not necessarily need to have a login to gain access to the site - they would only push data in), and I am struggling to figure out how to go about. Naturally there would need to be some basic authentication so that not every Joe Soap can abuse the web service, so would it be something similar to JWT where the 3rd party would send credentials to the WebApi, get authenticated, returns a bearer token which is then used in the subsequent calls to my REST service? The frequency of calls vary as this would typically be used by some sort of automated service residing with the 3rd party. Is this the best/simplest approach, or is there a better way?

    Any advice appreciated


Comments

  • Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭John_Mc


    ikoonman wrote: »
    Hi

    I am working on an public-facing website that requires users to log in for access. The UI interacts with the RESTful WebApi using Angular. To implement security, I utilize JWT (orginiating from the WebAPI) and the bearer token is authenticated with each API call via a DelegatingHandler and each Controller method is decorated with the [Authorize] attribute - all done over HTTPS.

    So my 2 questions would be
    1. Would this implementation be sufficient as security measures preventing unauthorized service calls (and XSS attacks) to the WebAPI? I see a number of articles talking about OAuth2, but suggesting that the latter is a different implementation of what I am already doing.
    2. I need to expose a web service that can be called from a 3rd party (that does not necessarily need to have a login to gain access to the site - they would only push data in), and I am struggling to figure out how to go about. Naturally there would need to be some basic authentication so that not every Joe Soap can abuse the web service, so would it be something similar to JWT where the 3rd party would send credentials to the WebApi, get authenticated, returns a bearer token which is then used in the subsequent calls to my REST service? The frequency of calls vary as this would typically be used by some sort of automated service residing with the 3rd party. Is this the best/simplest approach, or is there a better way?

    Any advice appreciated

    Bearer Tokens work in much the same way as Cookies in that they are resolved to a user who is (usually) a member of one or more roles. You can protect controller actions in the same way as normal MVC. The only difference is that you need to manually add the bearer token to the request header whereas the cookie is automatically submitted.

    In short I'm pretty sure this is a valid and secure authentication & authorisation technique.

    As for XSS, it seems you can use the Antiforgery token that is baked in to MVC with Web Api 2.


Advertisement