An MVC application makes access to the WEB API services.
To access the WEB API, a token is mandatory.
In the WEB API application there is a button that generates the token.
How to make the WEB API accept only the token generated through the MVC application without using a database?
I made the MVC generate the token (a GUID + date) and pass this token to the WEB API that validates if the date is within a 30s period. If it is within the period I consider that the token is valid.
byte[] data = Convert.FromBase64String(token);
DateTime when = DateTime.FromBinary(BitConverter.ToInt64(data, 0));
if (when < DateTime.UtcNow.AddSeconds(-30))
{
return false;
}
This works, however, any GUID that is entered concatenated from a date will be valid. I need to have my WEB API know exactly which token the MVC application generated.