Reputation: 39102
Mobile app Web API authentication
I'm building a mobile application (that might also later become a web application). The server side is a ASP.NET MVC + Web API application and I'm thinking about ways how I could implement the service's user management and authentication.
How should I implement the registration/login screen in the app? Offer native app forms, that will send just API requests to the service or is it preferable to show a web browser component and display the website's login page and then extract a token after the user logs in? I see the first option is more user friendly, but the second one will let me change the login / registration page (like for example adding external authentication providers) without breaking older versions of the app.
My second question is regarding the external authentication providers. ASP.NET Identity has good support for them and it is quite possible to let users register using Facebook or some other OAuth2 provider. Does it make sense to add support for external authentication providers when I plan to expose the app's API publicly? Are there any reasons why that is not a good idea?
Upvotes: 3
Views: 3365
Answers (1)
Reputation: 995
Your first option is best if you believe your users will trust you to manage their passwords. You make a secure call to your service, have the service produce a bearer token as the result. That would be an anonymous call. I used the answer from this question to get me going down that path:
Get IPrincipal from OAuth Bearer Token in OWIN
If your users are less likely to trust you with their credentials, then the web view and external provider is a good alternative. You would need to work with providers that support the "Implicit Grant Flow" since don't want to share the apps clientid and client secret on the mobile device. This approach involves using a web view to login in, and then capturing the token on the client uri fragment on the response. I think it is on a location header, but don't have a working example in front of me. Something like: https://your.domain.com/#access_token = 8473987927394723943294
you would pass that token with each api call afterwards .
Good luck!
Upvotes: 3
Related Questions
- Authentication between Web App, Web API and Mobile App
- Securing ASP .Net Web API for usage with mobile application
- Authenticated REST API for a mobile app and website on ASP.NET Core
- How to use ASP.net 5 Identity in web API application? User authentication based on tokens. Mobile apps
- Azure Mobile Services and Web API authentication
- ASP.NET Identity and mobile clients
- Aspnet Web API Authentication on mobile clients
- ASP.NET Web API Authentication (Web + Mobile)
- OAuth on REST API for mobile app
- Authentication and authorization using REST and ASP.NET Web Api from cross-platform mobile applications