T
T
TerraIncognito2018-10-05 09:57:01
SQL
TerraIncognito, 2018-10-05 09:57:01

Authorization in a WPF application using Web Api. How?

Hello dear programmers! I want to implement the following architecture. Web application "Basic" on net core 2.1, authorization EF standard with MS SQL database (implemented). It is necessary to carry out authorization from the WPF application using the data received after registration in the "Main" application. To do this, you need to add WEB API methods in the "Main" application with support for the POST method (data received from WPF will be supplemented). There are 2 questions: 1) How to protect the password check method, which will have to be put out from brute force, because it can be called not only from WPF, but also by any Get request on the server 2) How to protect the POST method for writing data from a WPF application, because the data the user can be replaced using the same POST request outside the WPF application. There is a desire to include the authorization attribute in the controller methods, but how to check if the user who came from the WPF application is authorized and not to be confused with his authorization in the "Main" application (suppose the session is already hanging on the site). I would be glad to hear all possible methods for implementing this idea.
In search of a solution, I started using the Cookies policy in the WPF application, i.e. the WPF application will also go through authorization, establish a session based on cookies, and access to the controller, respectively, only to an authorized user. Correct me if I'm walking into a dark forest, and not to the truth

Answer the question

In order to leave comments, you need to log in

2 answer(s)
P
Peter, 2018-10-05
@Morpheus_God

You can indicate in the headers of the WPF application in the request that authorization is from it. And on the side of the backend, check from what the request came from.

T
TerraInkognito, 2018-10-08
@TerraInkognito

Thank you all for your help. The solution is to configure IIS to limit the number of requests. The api method remains freely available, without authentication. The POST method is closed (Non Action) only after a successful Get request with login and password verification

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question