Reputation: 394

Aspnet Web API Authentication on mobile clients

I am implementing an API using ASP.net Web API and I'm trying to find proper alternatives for authentication in my scenario, it is as follows:

The API should be accessible from mobile clients
The mobile client user should not sign in, the client is a native application
The API is authorized with credentials composed by the Device ID and an User ID, obtained within the app with other means, valid credentials stored in a sql database
The client should not store static credentials
The API manages sensible data and should be secure

So I've explored some options and I have found that a basic authentication over SSL would be enough, but some people say it might not be enough, a claims based solution would.

Then I have explored Azure ACS and I see there are some advantages but maybe it's overcomplicated for my scenario? still I should create an identity provider like in basic authentication. Sample flow (second approach): http://msdn.microsoft.com/en-us/library/gg429784.aspx

What do you think?

Thanks

UPDATE:

I have been thinking about using an implementation of DotNetOpenOauth and using the Resource Owner Password Grants so I can just use the device id and user id the first time to get an access token without storing credentials, the server can authorize the caller based on the device calling it, is this correct?

Upvotes: 2

Answers (3)

Johan O

Reputation: 454

In VS 2013 you can use the "Asp MVC SPA Application" template to generate a working implementation that is generating a Oauth2 token bearer on login and authorizing it for WebApi controller calls using [Authorize] attributes. It uses Membership and Entity Framework to store users and hashes locally in a SQL Server. Just delete the asp mvc parts you don't need and keep the Auth part for WebApi. More details here: http://msdnrss.thecoderblogs.com/2013/09/understanding-security-features-in-the-spa-template-for-vs2013-rc/

Upvotes: 2