Best Practice for WebAPI-Authentication in Orchard 1.9

Topics: Core, Customizing Orchard
Mar 9, 2015 at 10:08 AM

we're thinking about porting a pure ASP.NET MVC /WebAPI-Application to orchard.
One question on the list is, how to correctly implement Authentication into Orchard WebAPI Controllers - does any best practice exist?
(we're consuming WebAPI via mobile devices, so Forms-Based Login isn't really an option).

Thanks for information / any hints!
Mar 9, 2015 at 9:49 PM
There is no official practice developed yet. Built-in RESTful API endpoints will eventually come to Orchard and most possibly they will use something like app IDs and app secrets for authentication.

But if you want your API requests be authenticated against user accounts (and like that use the standard permission handing and everything) you can go with HTTP basic authorization. Helpful Libraries has services and attributes for this, see: As usual with HTTP basic auth keep in mind that since the user/pass is sent in plain text, only use HTTPS. We at Lombiq actually use this for every Web API of ours.

Also see:
Mar 10, 2015 at 2:46 AM
Edited Mar 10, 2015 at 3:26 AM
I will add my 2 cents to what @Piedone has already mentioned...

And I will start by saying that @Piedone's Helpful Libraries was a great intro for me into bringing custom auth into an Orchard module; so thank you, as always, Zoltan!

That being said, my experience with Helpful Libraries was that authentication and authorization are not so cleanly separated; while in fact they are different stages of the request pipeline. Authentication is supposed to figure out who you are, while Authorization is all about what you (the authenticated user) can do.

We took a slightly more separated approach in CSM.WebApi, a module we are developing as part of a number of Orchard-based Web API sites in the works (module is still in development BTW, use at your own risk).

The module defines two attributes that apply to ApiControllers:
If you go the Basic Authentication route, definitely heed the advice of @Piedone - only use over secure (HTTPS) connections.