ASP.NET Web API has implemented an oAuth2 server. Web API has an end-point /token. Using the end-point with login credentials will give an access token. The access token is used to identify the user at the server.

Role based security is not related to oAuth2. Role based security restricts access to various parts of the API based on the user’s role. For example, there is more API access for admin users.

oAuth2 has a different purpose than role based access. A typical implementation is Facebook Graph API. A Facebook user has access to all of Facebook Graph API. Different third party-apps have authorization to use a subset of the API.

Similarly, the oAuth2 implemented in Web API is used to identify the user. The user has access to all of the Web API. Consumers of the API (other apps) have access to subset of API. The reduction in access privileges is not related to the identity of the user but related to the third party app that is requesting the access.

oAuth2 authorization: A third-party app, consumer of the API, need not have access to the entire API.

Role based authorization: The user may not have access to the entire API based on roles.

oAuth2 is also not related to single sign-on. Single sign-on (SSO) allows one user to access multiple API or application. Many applications use oAuth2 authorization grant from Facebook, Google, etc to provide access to their own application. This makes people believe that oAuth2 is related to single sign-on. But, it is not.

oAuth Server and Role based security in Web API
Tagged on:

Leave a Reply

Your email address will not be published. Required fields are marked *