Web api authentication from ajax cross domain call

    We are exposing some api via web api to third parties. They get data from us using JQuery Call and display in their pages.  The response goes in JSONP. The calls involve cross domain. Web api is hosted in IIS. SSL is enabled

We don't have login page for them. Given this situation how can i authenticate calls for my web api. I need to allow only my known thrid parties and not every body.

Please suggest me a ways of implementing this.
LVL 25
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Well you could try using a cookie which will probably have limited success.

Without a login any real authentication is a joke.  Anything you try will either work negatively by sometimes denying legitimate users access, or will not actually do anything useful.  You absolutely have to authenticate through a login, or forget authentication completely.

You can try looking at other things like IP address, but they can be easily spoofed.

Why would you not want to require a secure login to content that you want to be available to only specific users?  Once they have been logged in you can use persistent cookies and sessions for transparent authentication.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
apeterAuthor Commented:
Thanks for the reply. Is any Token based or OAuth is going to be any useful in this scenario? Please clarify.
käµfm³d 👽Commented:
I don't have experience with OAuth or token-based yet, but we have used basic authentication in some of our Web API services. We created new ActionFilter attribute to tag onto our controllers (see this link), but I also see that there's a way to accomplish this by using a custom module, as demonstrated in the following article:
apeterAuthor Commented:
Thanks for the details.  From the article links, the requests are raised from server side and not from client side call(Ajax).

What we are planning to do is expose features via web api. Our clients can call them directly from their html page and process the results which are in JSONP format.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.