This project is read-only.

Authentication with REST web service in Orchard

Topics: Customizing Orchard, Writing modules
Aug 20, 2013 at 8:56 PM
I'm trying to create RESTful web services (returning JSON) in Orchard modules. I'd like to integrate with the built-in Orchard authentication service when doing this, as these will be called by external third parties, not by javascript within the Orchard site. I've been searching for existing discussions of how to do this and found this:
but it seems to have changed from a discussion of authentication to a discussion of the integration of the WebAPI into Orchard. I also can't tell if any of that applies to the current version of Orchard. Has anybody done anything like this with the current version of Orchard?
Aug 21, 2013 at 12:17 AM
Ah, what an interesting discussion you linked! :-)

A good read on HMAC for Web API if you'd like to go that route. However the easiest solution is to use SSL and HTTP basic authentication.
Aug 21, 2013 at 6:08 PM
Thank you for the suggestions, but I'm wondering more about how to integrate the Orchard authentication that is used for the website, so an anti-forgery token could be returned which was generated by Orchard and then subsequent calls to the web services would use that token and embed it in the request, as described in this post:
Aug 21, 2013 at 7:00 PM
Hmm, I'm not sure about using an antiforgery token with a WebAPI endpoint. Granted if you use the API from the client-side (browser) it would be open for CSRF attacks... But since the token uses cookies it won't work if the API is used by another application (and trying to prevent CSRF would be unneeded then anyway).

I'm not fully sure how authenticated users are handled on the server side but keeping a "user session" alive in a RESTful service would go against it stateless nature too. That's why I advised to use basic authentication, where you pass in the user/pass with every request; this can be integrated with Orchard's user management too or you could issue application keys and "secrets" (like it is with e.g. Facebook applications) for clients.
Aug 21, 2013 at 9:15 PM
Edited Aug 21, 2013 at 9:16 PM
All this will be dependant on using .net 4.5 for orchard: all the webapi improvements are in 4.5 including authentication...