Using ASP.NET Authentication in Web API

  • Oct 21, 2013 at 2:01 PM
  • Shawn Wildermuth

Web API is a pretty sexy REST stack (though others are cool too). As I’ve been talking about it a lot lately, the biggest question by far is authentication and authorization. There are many options including OAuth, Token-based authentication, basic authentication, and even custom solutions. One option that should be included is to use your existing ASP.NET Forms-Based Authentication.

As a preview to my recently released course on ASP.NET Web API, we’ve released a clip that shows you how to piggy-back on ASP.NET Authentication to protect your Web API interfaces:

While this is useful in some use-cases, you’ll probably need to also support other mechanisms like OAuth, Token Auth and others. I cover many of these in my “Securing Web API” module of the Pluralsight course. The course covers building an API from scratch including coverage of security, versioning, using REST constraints and working with models. If you have a subscription, you might be interested in the whole course:

Let me know what you think!




Tim Chaffee Monday, October 21, 2013

Does the course cover the new Microsoft.Owin.Security.OAuth in Web API v2 from both a client and server perspective? I am looking into supporting OAuth 2 in my API and want to see how it can be done using Microsoft.Owin.Security.OAuth with a custom back end authentication database.


Shawn Wildermuth Monday, October 21, 2013


Unfortunately it doesn't. I cover OAuth from a high-level and do a summary walkthrough of implementing it with the DotNetAuth open source project as I didn't want to just cover v2.


Shyju Thursday, February 13, 2014

Shawn, Is there any pluralsight course which explains how to handle security-authentication of client calls (Angular js) to web api ?


Shawn Wildermuth Thursday, February 13, 2014


My ASP.NET MVC, Web API, AngularJS course covers that:


jmarsch Thursday, March 20, 2014

Hi Shawn:
Thanks for the video -- love pluralsight!

If you happen to be looking for future training opportunities, I would love to see some instruction on really implementing OAuth (see Tim Chaffee's comment). There is plenty of material out there on hooking in to an existing authentication source, like Google or Facebook. But, I've found virtually nothing out there for sourcing our own. For example, We are building a federated set of web api's, and I would like to have our own single-sign on source. I know there are servers out there, like Thinkture's, but I don't know how to get it off the ground.


Emir Saturday, March 22, 2014

Hello Shawn,
I have one technical question. In exercise code on request method OnAuthorization in the custom attribute CountingKsAuthorizeAttribute execute twice. Do you know what is a problem?


Shawn Wildermuth Saturday, March 22, 2014


If it's about the exercise code on Pluralsight, please use the discussion tab there to ask questions.

Leave a Comment