What this book covers

Chapter 1, Setting up a Browser Client, helps you to set up a browser client in order to use Web API services. It also covers ASP.NET Web API Security Architecture and authentication, and authorization to secure a web API from unauthorized users.

Chapter 2, Enabling SSL for ASP.NET Web API, explains how to use SSL with ASP.NET Web API, including using SSL client certificates. There are several common authentication schemes that are not secured over plain HTTP in particular Basic authentication and forms authentication, which send unencrypted credentials. In order to be secure, these authentication schemes must use SSL. In addition to this, SSL client certificates can be used to authenticate clients.

Chapter 3, Integrating ASP.NET Identity System with ASP.NET Web API, explains how to integrate the ASP.NET Identity system with ASP.NET Web API. The ASP.NET Identity system is designed to replace the previous ASP.NET Membership and Simple Membership systems. It includes profile support and OAuth integration. It works with OWIN and is included with ASP.NET templates that are shipped with Visual Studio 2013 and later versions.

Chapter 4, Securing a web API using OAuth2, shows you how to secure a web API using OAuth2 to authenticate against a membership database using the OWIN middleware. You will be able to use local logins to send authenticated requests using OAuth2.

Chapter 5, Enabling Basic Authentication using Authentication Filters in Web API, covers how to set an authentication scheme for individual controllers or actions using Authentication filters. This chapter shows an authentication filter that implements the HTTP Basic Access Authentication scheme. It will also cover the advantages and disadvantages of using Basic Authentication.

Chapter 6, Securing a Web API using Forms and Windows Authentication, explains how to secure a web API using Forms Authentication and how users can log in with their Windows credentials using Integrated Windows Authentication. You will also get to learn the advantages and disadvantages of using Forms and Windows Authentication in Web API. Forms authentication uses an HTML form to send the user's credentials to the server. Integrated Windows Authentication enables the users to log in with their Windows credentials, using Kerberos or NTLM. The client sends credentials in the Authorization header. Windows authentication is best suited for an intranet environment.

Chapter 7, Using External Authentication Services with ASP.NET Web API, helps you to understand the need for external authentication services in order to enable OAuth/OpenID and social media authentication. Using external authentication services helps in reducing development time when creating new web applications. Web users typically have several existing accounts for popular web services and social media websites; therefore, when a web application implements the authentication services from an external web service or social media website, it saves the development time that would have been spent while creating an authentication implementation. Using an external authentication service saves the end users from creating another account for the web application and having to remember yet another username and password.

Chapter 8, Preventing Cross-Site Request Forgery (CSRF) Attacks in Web API, helps you to implement anti-CSRF measures in ASP.NET Web API. Using an API key-based authentication, or a more sophisticated mechanism such as OAuth, helps in preventing CSRF attacks. ASP.NET MVC uses anti-forgery tokens, which are also called request verification tokens.

Chapter 9, Enabling Cross-Origin Resource Sharing (CORS) in ASP.NET Web API, explains how to enable CORS in your Web API application. Browser security prevents a web page from making AJAX requests to another domain. This restriction is called the same-origin policy and prevents a malicious site from reading sensitive data from another site. However, sometimes you might want to let other sites call your web API.