0

I have been tasked with creating a Web API for our mobile application and future 3rd parties to use in order to access our data, etc.

That alone is simple enough, but then I need to secure it. Initially, after reading about OAuth and doing some research, I decided to go the home grown token based route utilizing best practices found online for security. My prototype worked wonderfully but unfortunately the company wants to use OAuth since it's a recognizable standard and considered marketable to our clients.

Soooo, after banging my head against multiple walls the past few days I am curious if anyone has an implementation using OAuth as a service provider and then an ASP.NET Web API client as consumer.

The workflow envisioned is that the mobile application would hit the API which in turn would expect token(s) issued from our self-hosted OAuth service provider. I've yet to find any comprehensive documentation or examples online about this. So far everything I've seen is very piecemeal and therefore incredibly frustrating trying to implement anything.

Improve this question
4
  • Did you ever end up finding additional information that helped with this? I'm looking to do something very similar. Web App -> Web API -> Login System Commented Apr 4, 2013 at 16:14
  • Will the user of mobile App use 3rd party Id Provider, such as facebook? Commented Aug 14, 2014 at 5:56
  • I just noticed this, sorry for the super long delay. I ended up creating an OAuth 2 Authorization Server myself. It was not too complicated once everything clicked reading through the OAuth documentation. In our case, we do not allow clients to register themselves with the Authorization Server. We have a known client base and so they are added to the authorization server in advance and provided a unique ID with which they can use to request access tokens. I also implemented the concept of "scopes" which helps to control what parts of the API the client is allowed to access. Commented Aug 14, 2014 at 13:14
  • What I described above isn't for our mobile app...For the mobile app the Authorization server accepts login credentials from the mobile app provided by the user. It then authenticates the user and returns an access token which the mobile app then uses for all future requests. Since we're using OAuth 2 and not 1 the handling of encryption is done via SSL. Commented Aug 14, 2014 at 13:21

1 Answer 1

Reset to default
1

Well - there is the OAuth spec of course (since you seem to like to handcraft things ;)) https://www.rfc-editor.org/rfc/rfc6749 and the corresponding threat model - https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-threatmodel-08

Our OAuth2 authZ server / sec library has an implementation as well - I compiled some docs here: https://github.com/thinktecture/Thinktecture.IdentityServer.v2/wiki

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.