How to design a web project using .net core which calls a statefull api

Question

Need inputs to design a web application. The scenario is described below.

Would like to develop a web application using .net core the web application will just have the presentation layer meaning the web application will use a third-party API which we would not have any control over.

The third third-party API is stateful API which runs as a web farm behind a load balancer having a sticky session.

The web application we would build would just call the third-party API to get the data The authentication would also be managed by third-party API.

The presentation layer (web application) we will build will just call the third-party API based on user action. It can be so that the user clicks a button and or makes any action that would need a couple of third-party apis to call and then consolidate the response in one view-model and pass it to the browser.

Would like to understand since authentication and session management are done through cookies at the party API layer do we need to do any session management or just sending back the response in our view model will work?

like after authentication we extract the headers from response from API past it to the client though our response in presentation layer and there after for every request we extract the header sent by the browser and pass it to the API call and then extract the header from the response given by thrid party API and pass the header to the response to the client browser.

If we too host the application as a web farm in multiple servers do we need to have a sticky session for our web application too as the third-party API is stateful?

Answer 1

You dont have to worry about session managemnt as authentication and authorization is handled by the third aprty API. You have to just extract the headers from response and add it to next request.

Regards Server farm, you dont have to maintain the sticky sessions.

Answer 2

Would like to understand since authentication and session management are done through cookies at the party API layer do we need to do any session management or just sending back the response in our view model will work?

An architectural design where the authentication and session management are handled by the third-party API through cookies, then the .NET Core web application may not need to manage its own session state. The third-party API is responsible for managing the user's session through the cookies it sets, and your application simply needs to pass those cookies back and forth between the client and the API.

However, when there are any subsequent request in that scenario for each subsequent user request, your .NET Core application includes the authentication-related cookies in the request. The third-party API uses these cookies to identify and authenticate the user.

If we too host the application as a web farm in multiple servers do we need to have a sticky session for our web application too as the third-party API is stateful?

If third-party API manages the user's session through cookies, your application does not need to maintain its own session state. Each request from the client carries the necessary session information in the form of cookies.

Apart from that, As the third-party API is stateful and may use sticky sessions, it's important to align your web farm's behavior with the expectations of the third-party API. So basically you don't need to manage them by yourself.

Let's have a look in practice, how you should handle that kind of scenario within your application code:

Your Demo Application View Model:

public class ApiResponseViewModel
{
    public string Data { get; set; }
    public string ErrorMessage { get; set; }
}

Third Party API Service:

public class ThirdPartyApiService
    {
        private readonly HttpClient _httpClient;
    
        public ThirdPartyApiService(HttpClient httpClient)
        {
            _httpClient = httpClient;
        }
    
        public async Task<ApiResponseViewModel> MakeThirdPartyApiCall(string apiUrl, Dictionary<string, string> authenticationHeaders)
        {
            
            foreach (var header in authenticationHeaders)
            {
                _httpClient.DefaultRequestHeaders.Add(header.Key, header.Value);
            }
            var response = await _httpClient.GetAsync(apiUrl);
    
            var apiResponseViewModel = new ApiResponseViewModel();
    
            if (response.IsSuccessStatusCode)
            {
               
                apiResponseViewModel.Data = await response.Content.ReadAsStringAsync();
            }
            else
            {
              
                apiResponseViewModel.ErrorMessage = "API call failed";
            }
    
            return apiResponseViewModel;
        }

Controller For calling your endpoint:

public class ManageThirdPartyRequestController : Controller
{
    private readonly ThirdPartyApiService _apiService;

    public ManageThirdPartyRequestController(ThirdPartyApiService apiService)
    {
        _apiService = apiService;
    }

    public async Task<IActionResult> CallThirdPartyEndpoint()
    {
      
        var authenticationHeaders = Request.Headers
            .Where(h => h.Key.StartsWith("Your-Auth-Header-"))
            .ToDictionary(h => h.Key, h => h.Value.ToString());
        var apiResponse = await _apiService.MakeThirdPartyApiCall("https://third-party-api.com/data", authenticationHeaders);

        
        var viewModel = new ApiResponseViewModel
        {
            Data = apiResponse.Data,
            ErrorMessage = apiResponse.ErrorMessage
        };

        return View(viewModel);
    }
}

Note: The purpose of above given virtual design is to demonstrate you how we can achieve that in practice. Feel free to modify your ViewModel and the authentication endpoint defination. The sole intention is to assist you how should you proceed. Another important point is that, you should handle above scenario using cookies if you want to perist the user credential in subsequest request. If you encounter any issue further please post new question specific to your problem.