Authorization method for REST API utilising Active Directory

Issue

What is the best method of securing a REST Web API with the following requirements. The system has an Angular JS frontend with the REST APIs implemented in ASP.net.

• There are two "roles" in the system, users will have one of the roles. One role should allows access to some APIs (call it "VIEW"), the other role allows access to other APIs
• All users are in Active Directory, so if I have a username, I can check what role they are in- Some clients are on Windows boxes, the others are on Linux
• I would like to persist the session so I don't have to look up AD for every API call
• I would like single sign on. On the Windows machines, I don't require them to enter user and pass as I already can retrieve their username using Windows Authentication.

I believe that Oauth would be my best option.

Solution

There are two "roles" in the system, users will have one of the roles. One role should allows access to some APIs (call it "VIEW"), the other role allows access to other APIs

• For role based authentication, you can use [Authorize("Role" = "Manager")]. The token will be provided by the identity server and will contain the claim as Role.

All users are in Active Directory, so if I have a username, I can check what role they are in- Some clients are on Windows boxes, the others are on Linux

• If you have ADFS then you can have an Identity server that trusts the ADFS. The ADFS will provide a token which will have the claim for role and your Identity Server will do the claims transformation and will return the same Role claim back to angular app.

I would like to persist the session so I don't have to look up AD for every API call

• For this while requesting the token, you can ask for offline scope so the Identity server will provide the Refresh Token with Access Token so you don't need to ask for AD again and again.

I would like single sign on. On the Windows machines, I don't require them to enter user and pass as I already can retrieve their username using Windows Authentication.

• For this one, you can have your Identity sever trust the WSFederation for windows Authentication.

So basically you need to setup Identity server that will provide you with the token and the REST API will use that token to verify claims to return the correct information back to the user.

Answered By - Mitra Ghorpade