Developing Authentication and Roles thinking about API

[Giammarco]

Hi all,

I'm developing an ASP.NET website and thinking about releasing the API
through webservices in a couple of months (like flickr.com let's say).

Most of the website functionality is restricted to authenticated users.
Users are classified in different roles, and different roles can take
different actions.

E.g. Guest can call a function to delete one of his articles, but
cannot call a function that can delete any article (which can be called
by an Administrator).

I would like to ask how would you handle user authentication and roles,
considering that I have to release the API?

The following is an example of the parameters I need to pass to a
"DeleteArticle" function called from a asp.net page that is accessible
only to authenticated users.

public bool DeleteArticle(articleID, UserID)
{
// delete article
}

The same function called from the API, could look like this if
authentication and roles are not planned with the webservices in mind.

public bool DeleteArticle(articleID, userID, userPassword)
{
// check username and password and authenticate
// check if user can delete article
// delete article
}

Thanks in advance,
Giammarco

 

[Guest]

Read up on "code access security". Rather than accepting authentication and
authorization information via your API, demand appropriate permissions inside
your implementation and let the Framework implement the security for you.

 

[Giammarco]

Thanks Lee,

Giammarco