Menu
I have a Web API project that follows the basic account authentication process outlined here: http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api. My question is should I secure the /Token enpoint with SSL (or something else)? Otherwise, the API call to "myURL/Token" is just sent via clear text with the username and password in its body?
I read up this post on Web API SSL: http://www.asp.net/web-api/overview/security/working-with-ssl-in-web-api but I don't know where I should place the [RequireHttps] attribute since the /Token endpoint is not really a controller action.
606
Yes you should make the Token endpoint as Secure.
In the Setup.Auth.cs file under the OAuthurizationServerOptions you can specify to be Token end point requires SSL or not.
OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),
Provider = new ApplicationOAuthProvider(PublicClientId),
AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(20),
AllowInsecureHttp = false
};
The AllowInsecureHttp will force the url to be SSL or not.
156
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
