This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 38%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENC%3C/text%3E%3C/svg%3E)
Good Morning,
I am trying to architect a Web API solution that involves potentially, a user facing web interface that offers functionality to non-registered users, as well as registered users. This would define two scopes within the application; the API endpoints that are accessible to both non-registered and registered users, and the API endpoints that are only accessible to registered users.
My initial thinking was that I would build a separate Authorization solution, which would obviously have its own endpoints, but that would allow for Client Credential Authentication (and implied Authorization for non-registered users) and Auth Code (for registered users).
A distinct Authorization solution would allow the authentication to be combined with the client (application) id, so that I could know within the particular application what the user or public was authorized to do, i.e. which end points of the API they could access.
I'm concerned about the Client Credential piece and want to make sure I'm not exposing the architecture to a man-in-the-middle exploit. I think that because I'm using C# and server-side coding I might be able to avoid this, but I'm not sure.
I'm hoping that someone might have either a resource that I can look at or other ideas on a best practice approach to this. It is possible that I may need to incorporate and second Auth server that is corporate, but that is yet to be determined.
I would greatly appreciate any thoughts, ideas, direction that you might have to offer.
Thank you,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 85%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJX%3C/text%3E%3C/svg%3E)
Hi @Nicholas Coppola , Welcome to Microsoft Q&A,
Do you want to create a Asp.net web project?
Hi Jiale,
Yes, I've created both wcf and web API applications using C# and ASP.NET. I have a new API requirement. This API would be accessed by more than one client application (web user interface). Each interface would have its own Authorization and one would be an Auth server that we manage.
We may not need two scopes because what matters is that a) the client app recognizes the logged-in person, and b) the API (Resource) recognizes the client application.
Duplicate comment
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 36%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELH%3C/text%3E%3C/svg%3E)
From my understanding, maybe you can set an authentication filter and then authorize. In Web API, authentication filters handle authentication, but not authorization.
Authentication Filters in ASP.NET Web API 2
You can use the [Authorize] attribute to restrict access for specific actions. You can also restrict access to specific users or users with specific roles.
Web API provides a built-in authorization filter, AuthorizeAttribute. This filter checks whether the user is authenticated. If not, it returns HTTP status code 401 (Unauthorized), without invoking the action.