8

Consider the following (common) scenario. I will first try to specify how I understand a (nice) Web API should look like, using OAuth. Please do correct me if I got any of the flows wrong.

My API: the center of attention, all clients use this.

My Web App: Uses the API just like any other client would.

My Mobile App: Also uses the API, the same exact way as the web app. Users should be able to authenticate without opening a browser.

3rd party Web App: Also uses the API - however, the user/resource owner must grant permission for the app to do something. They do this by redirecting to my site (or opening a popup to it), logging the user in if necessary, and prompting the user for access.

3rd party Mobile App: Same requirements as the 3rd party web app.

The Question(s)

  • Should the API handle authentication and authorization?
  • How does the API know who (the resource owner that is using the client application), is using the API?
  • When a user is using my official clients, they should obviously not have to grant any permissions - my clients should have all permissions. How would I distinguish between my official clients, and 3rd party clients when calling the API?

Here is what I understand, and would do so far. This is where I really need help - getting this done right.

Official Web app

- Client attempts to `GET /api/tasks/".
- API says "who are you? (HTTP 401)
- Official web app redirects to login form.
> Bob enters his credentials.
- .. now what? Get an authentication token? Cookie?
  • Since the web app is just a consumer of my API, how would I manage the logged-in state? Should the web app do that?
  • Should the web app have direct access to the users database instead of verifying credentials against the API?

I am using .NET (C#) primarily, but I'd love an approach that is applicable to, say, Node JS based API's as well.

How would you go about this? Especially the client flows are a problem for me. The reason I ask, is that I have read that you should not roll your own security solution unless absolutely necessary, so if there are any standard-ish guidelines for this, do let me know. :)

Improve this question
2
  • Did you find a solution to your problem because I am searching high and low for one and nothing so far. Commented Dec 12, 2013 at 11:03
  • oauthbible.com might help? Commented Jan 14, 2014 at 18:26

2 Answers 2

Reset to default
3

Take a look at the new web API 2 oAuth stuff.

Basically fire up a new web API project and ensure you select to change the authentication.

Then, it's a simple case of calling the register controller. This then creates a token for you which can then be sent in the header of each request for that user.

Check out the API calls using fiddler and create some mock up accounts.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

It's been awhile, but I thought I would document what I ended up doing.

I use DotNetOpenAuth. I have a database with clients, and they have a Trusted field - if this is set, it lets the client use the password grant, which automatically grants all scopes that have been predefined for that client.

The 1st-party web app uses plain cookie auth - exposing the client credentials in JS would be too risky.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.