I'm wanting to share an authentication implementation across a web application, and web API. The web application will be ASP.NET (mostly MVC 4), the API will be mostly ASP.NET WEB API, though I anticipate it will also have a few custom modules or handlers.
I want to:
Share as much authentication implementation between the app and API as possible.
Have the web application behave like forms authentication (attractive log-in page, logout option, redirect to / from login page when a request requires authentication / authorisation).
Have API callers use something closer to standard HTTP (401 - Unauthorized, not 302 - Redirect).
Provide client and server side logout mechanisms that don't require a change of password (so HTTP basic is out, since clients typically cache their credentials).
The way I'm thinking of implementing this is using plain old ASP.NET forms authentication for the web application, and pushing another module into the stack (much like MADAM - Mixed Authentication Disposition ASP.NET Module). This module will look for some HTTP header (implementation specific) which indicates "caller is API".
If the header "caller is API" is set, then the service will respond differently than standard ASP.NET forms authentication, it will:
401 instead of 302 on a request lacking authentication.
Look for username + pass in a custom "Login" HTTP header, and return a FormsAuthentication ticket in a custom "FormsAuth" header.
Look for FormsAuthentication ticket in a custom "FormsAuth" header.
My question(s) are:
Is there a framework for ASP.NET that already covers this scenario?
Are there any glaring holes in this proposed implementation? My primary fear is a security risk that I can't see, but I'm similarly concerned that there may be something about such an implementation that will make it overly restrictive or clumsy to work with.
