Reputation: 3731

How are people handling user authentication for web services?

I'm creating a web service to expose some data via publicly accessible APIs. At a high level, what mechanisms are people using to secure their APIs to ensure that a valid, authenticated user is making the call?

The service will be C#, the consumer could be anything (Facebook or iPhone app as well as a website) so Microsoft only solutions are out.

It's not a new problem so I assume there are some standard practices in place to deal with it but my google-fu is failing me on this one. Can the collective point me to any resources? Thanks.

Upvotes: 8

Answers (4)

Andrey

Reputation: 21295

You can still use Membership authentication: have a web service method Login(username, password), inside that method validate user:

[WebMethod]
public bool Login( string username, string password)
{
    bool isValid = Membership.ValidateUser(username, password);
    if (isValid)
    {
        FormsAuthentication.SetAuthCookie(username, true);
        return true;
    }
    return false;
}

And that should do it - it will create a cookie that travels with requests and in each method you can check HttpContext.Current.User.IsAuthenticated.

void SomeWebMethodThatRequiresAuthentication(someparameter)
{
    if (HttpContect.Current.User.IsAuthenticated)
    {
        ... do whatever you need - user is logged in ...
    }
    else
    {
        .... optionally let user know he is not logged in ...
    }
}

I believe it can work with different consumers that support cookies because all it needs to work is for consumer to send the auth cookie along with the request to your web server.

Upvotes: 5

user334596

Reputation:

I see that ferequently in SaaS web services is used authentication by token key over SSL - we choose this simple method in our last project over OAuth and SAML protocols. Maybe this can be usefull - sometimes simple solutions make things more scalable and over control.

Upvotes: 3