CODEWITHSUNDEEP
authenticationasp.net-web-api
rxmnnxfpvg
rxmnnxfpvg

Reputation: 30983

What's the simplest way to do authentication with a web API?

I've got a web API that provides data to users without authentication (the website lets users post data, after they've logged in using traditional cookies & sessions). Someone wants to develop an iPhone app that adds things to my database, so I want a user to authenticate on the iPhone, and then the api will allow posting.

So, what should I look in to do this easily? The API as it stands is RESTful, it'd be nice to keep it that way. Obviously I'm new to this but there seem to be so many standards I don't know where to start. If I can code it up in less than an hour, that'd be ideal.

Much appreciated!

Upvotes: 0

Views: 308

Answers (2)

Chandrika Prajapati
Chandrika Prajapati

Reputation: 867

WebSecurity was introduced in ASP.NET MVC 4. It relies on the SimpleMembershipProvider. It uses FormsAuthentication to manage cookies

WebMatrix.WebData.WebSecurity is provides security and authentication features for ASP.NET Web Pages applications, including the ability to create user accounts, log users in and out, reset or change passwords, and perform related tasks.

You must create or initialize an WebSecurity database before you can use the WebSecurity object in your code.

In the root of your web, create a page (or edit the page ) named _AppStart.cshtml.

  _AppStart.cshtml

    @{
    WebSecurity.InitializeDatabaseConnection("Users", "UserProfile", "UserId", "Email", true);
    }

you can authenticate your request by following code.

WebSecurity.Login(LoginName, Password, true)

once authenticated successed , you will get value of WebSecurity.IsAuthenticated is true and you will get user's identity

you can also use "SimpleRoleProvider" for manage roles in your application

Upvotes: 0

cmendoza
cmendoza

Reputation: 296

A decent way to implement this would be to provide the app creator with a token as well as an app id, and have them use that token as salt for an agreed upon encryption method to send username and password (plus app id) to a new API call for a new session.

Upon receiving the request for a new session, you would look up their token based on the appid provided, and try and decrypt the user/pass using the token.

If the user/pass are accepted, then you create a new session and return the session id to them, which they can send along with any new requests.

This prevents the app from having to send authentication for every request, and allows you to expire sessions at a given time.

Upvotes: 1

Related Questions