Nate
Nate

Reputation: 30636

OpenID + OAuth for Webapp and Desktop/Mobile application Authentication and Authorizaiton

I'd like to use OpenID to authenticate users on my webapp -- similar to how StackExchange does it. I'd also like to enable users of my website to use my Desktop and Mobile Apps using the same account. I've read this requires OAuth (OpenID is purely website only).

What I don't know is

In an ideal world, I would be able to have buttons similar to those on https://stackoverflow.com/users/login for both my WebApp and also in my Desktop and Mobile Apps which would simply allow users to login with their google or facebook account, is that possible? Simplicity for users is paramount, because my userbase will not take well anything remotely complex.

Can I use something like DotNetOpenAuth to provide all of this functionality?

Would a better solution be to break this up and allow users to authenticate to my site with OpenID and then I provide my own OAuth scheme for my desktop and mobile clients?

Upvotes: 5

Views: 981

Answers (3)

Nate
Nate

Reputation: 30636

This is the workflow that I came up with, and so far I think its working well.

The user is required to authenticate to the website via third party OpenID/Facebook/etc (mobile friendly website is available). Then, in their "profile" they can generate an API "key" which they can copy/paste into their client software. It isn't 100% transparent to the user, but its pretty good.

Upvotes: 0

Glenn Ferrie
Glenn Ferrie

Reputation: 10380

What you should be looking into is Windows Identity Framework (WIF), it will work similarly for Web or Desktop applications using Claims-Based Identity. You would store an authorization token for each user (along with any other information you need) and you would get it in the Authorization Header of an authenticated HTTP Request. oAuth is the protocol for passing authorization requests and responses. WIF is a .NET toolkit to simplify this interaction.

For more info, check out the WIF home page and the following blog (not mine):

http://msdn.microsoft.com/en-us/security/aa570351

http://blogs.msdn.com/b/vbertocci/

Upvotes: 0

Yuliy
Yuliy

Reputation: 17718

Probably the simplest mechanism is to embed a web view, and simply watch for navigation to a specific callback page and grab the authentication data that way. You should still be able to use OpenID for this.

Upvotes: 1

Related Questions