I have designed a RestFul API in .Net core with two endpoints. Both are Http POST methods and they use Https when deployed in IIS.
- ReceiveToken
- SendData
So my approach is, the client will pass a UserID and Password to the ReceiveToken endpoint via a JSON payload like this.
{
"vendorUserID": "user123",
"vendorPassword": "passwd1234"
}
I have a database in my server side where the credentials are stored – along with role for each user. I am validating the userid and password, and if they are correct then I am issuing a JWT Token – containing two Claims VendorUserID and role.
This JWT Token is sent to the user.
Now in my 2nd endpoint, the user can Pass the Business data (payload) along with the JWT Bearer token (in the header). I have [Authorize(Roles = "contributer, admin")] attribute set in my Action method with allowed Role names so that only valid users are allowed to post the business data.
So far the API is working fine.
But I have a doubt on sending the userid and password via my first endpoint. Is this a good approach? Can anyone see the password as this is being sent in plain text? What are some stronger ways to secure this?
>Solution :
Once you have a proper HTTPS connection, only the sender and the receiver can see the POST payload. So, you can send it as regular JSON text.
I believe all the OAuth providers like Google, Facebook, etc. follow the same, and send the credentials in plain text inside the HTTPS connection.
You may need to force HTTPS on that Rest API end-point with your server configuration – to ensure that some of your clients are not sending plain-text credentials over HTTP without realizing.
And, also ensure that you use a certificate signed by a trusted authority. This ensures that the clients do not establish the HTTPS connection with a fake server posing to be your server.