I would like to protect a asp.net web api service with a token. Now I know you would normally implement a STS server but I don't want to do that so what is my other options.
I was thinking about leaving a controller Unprotected where clients can call into passing in a username and password and that would return a token, this token then would be used AND NEEDED to call other controllers on the service which would be protected.
So this brings up some questions, using a DelegatingHandler vs AuthorizeAttribute. The above option would have to be an authorizeAttribute because I need to leave a controller unprotected for clients to call in an authenticate. I don't see how I would use a delegatinghandler which would technically protect the complete service rather than leaving 1 controller unprotected.
The other option I see is providing another service to allow clients to authenticate and get a token and then I could lock down my second service using a delegatinghandler.
Lets imagine that I went down the STS routing, I would still need to provide some way a client could contact an "OPEN" service / controller which in turn would call the STS for obtaining the token.
So considering this, is another service my best option?
