Authentication between mvc and webapi (Separate domains/Applications)

Question

im looking for good ideas/resources/implementations for the following scenario

A MVC website at http://mywebsite.com

A Webapi REST service at http://myapi.com

Answer 1

Although JSONP works also consider using CORS some examples of WebApi implementation here.

Consider following a standard (at least a draft) for your token rather than creating your own. Json Web Token (JWT) seem to be a good approach the specification here includes the format and determines the encryption or signing approach. There are libraries to support this kind of token such as the Thinkteckture Identity Model this article covers some of the usage of that library and the JWT. Google have a good dev guide here.

Disclaimer, only consider the above having read about some of the OAuth and JWT standardization criticisms.

If you did use a HTTP header, I am not sure you need a custom header (@Vipul) the "Authorization :" header is there for this kind of information.

If you are using a custom token, ensure it has an expiration date, consider using a nonce if you want to protect against replay attacks and sign or encrypt using a well known algorithm.

Agree with you that delegating handler is a good place to put token validation. An ActionFilter is called much later than necessary in the stack and the middle ground would be to implement System.Web.Http.AuthorizeAttribute.

Answer 2

token solution sounds good.

Get the authentication token from MVC application, you can send that token with each API request in some custom header. Create an ActionFilterAttribute and in OnActionExecuting you can verify the token and act accordingly.