Web API Authentication best practice

When dealing with authentication and securing your Web API I recommend you follow the guidelines set by Dominick Baier. There might be no better expert on ASP.NET identity management in the world.

You can find his blog at http://leastprivilege.com/ and a great Web API Identity package at Nuget, Thinktecture.IdentityModel - http://nuget.org/packages/Thinktecture.IdentityModelAs with most of the good open source libraries, since all the functionality is available for your for free, there is no need to reinvent the wheel.

This is a top-to-bottom identity & access control library for .NET 4.0/WIF and .NET 4.5 (including support for MVC and Web API).

If you want to learn more about securing your Web API, you should also watch this video http://vimeo.com/43603474 - Dominick's talk from NDC Oslo 2012.

Questions like these are very 'open', it all depends on the requirements of your project. If you want security, you should consider a combination of different security measures.

Take HTTPS combined with Multi-factor authentication. An example would be Client Certificate Authentication (the private key stored on a dongle) and Basic Authentication (username/password). This ensures you that, even if a malicious person gets a hold on the username and password, he won't be able to access the application without the hardware dongle. And the other way around is also true, even if the hardware token gets stolen, it will be useless without knowing the username and password.

These might be some good blog posts to get you started:

• Making your ASP.NET Web API’s secure
• Securing ASP.NET WebAPI using Client Certificates

And even if this applies to web in general, you should read the OWASP Top 10 for .NET developers before continuing with anything else.