Web API Development Using Client Credential and Auth Code
Good Morning,
I am trying to architect a Web API solution that involves potentially, a user facing web interface that offers functionality to non-registered users, as well as registered users. This would define two scopes within the application; the API endpoints that are accessible to both non-registered and registered users, and the API endpoints that are only accessible to registered users.
My initial thinking was that I would build a separate Authorization solution, which would obviously have its own endpoints, but that would allow for Client Credential Authentication (and implied Authorization for non-registered users) and Auth Code (for registered users).
A distinct Authorization solution would allow the authentication to be combined with the client (application) id, so that I could know within the particular application what the user or public was authorized to do, i.e. which end points of the API they could access.
I'm concerned about the Client Credential piece and want to make sure I'm not exposing the architecture to a man-in-the-middle exploit. I think that because I'm using C# and server-side coding I might be able to avoid this, but I'm not sure.
I'm hoping that someone might have either a resource that I can look at or other ideas on a best practice approach to this. It is possible that I may need to incorporate and second Auth server that is corporate, but that is yet to be determined.
I would greatly appreciate any thoughts, ideas, direction that you might have to offer.
Thank you,
- Nick