Client Application Authentication

Question

0.00/5 (No votes)

See more:

, +

Hi,

I am working on a distributed application with ASP.net Web-API based REST services hosted on azure as Cloud Services.

These services are consumed by a variety of client applications ( ex. Web applications (SPA), Other web services, native application on mobile devices).

Our Rest Web Service (RWS) has a number of actions, some are secure with Authorization and other are open, as in some are only allowed for authentic user while others are not. As users are verified with FORM authentication, this system works well so far with SSL in place.

Hopefully description above sets the required context enough for me to come to the problem statement now.

Problem Statement: I am now in need to identify and authorize client application as well.
i.e. Somehow, in some way, web services would identify and authorize known client applications only to request for any resource or to authorize users.

Assume:
1) Azure web service has a action URI like "https://www.somedomain/api/somecontroller/someaction"

2) a mobile app "my-mobile-app", published by me, consumes this URI. i want to allow "my-mobile-app" to consume URI by identifying/authorizing it.
I know "my-mobile-app", i love it. I identify/authorize this client application first and then allow it to attempt the end-user authentication.

3) another mobile app "blah-mobile-app", published by someone else, somehow knows this URI and attempts to consume this URI. I DO NOT want to allow it to consume this URI. i want to just close door on it's face. Nada. zip. i won't entertain this client application to make any request for resources.

A quick potential solution which comes to mind is: to give a predefined KEY to client application and then to use a HTTP Handler to intercept incoming calls for presence of this KEY to identify and authorize client. but would really appreciate a better more manageable approach for this problem as i may have to extend this solution to all possible clients. and who knows may need similar solutions on other web service projects as well.

Let me know if additional information is needed or any section of question is not clear.

Posted 6-Oct-15 21:47pm

OmniSource

Updated 7-Oct-15 0:48am

v2

Add a Solution

Comments

Sinisa Hajnal 7-Oct-15 4:58am

More manageable solution would be to make app name or app code part of the parameters / URL. I wouldn't do it that way, but it is possible :)

2 solutions

Solution 2

Explored OAuth 2.0 and found my solitude in there.

for my particular problem, Client Credential Grant was the Answer, however realized that with all the supported options, implicit grant would solve other problems i was having with authenticating users and thus applications on mobile devices as well. thanks for recommendations.

For anyone looking for answer here, my recommendation is to have a hard look at OAuth2.0 or other similar options.

Posted 9-Dec-15 19:41pm

OmniSource

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

*Suvabrata Roy* · Accepted Answer · 2015-10-06T23:21:00

Hi Omni,

There are several ways to solve this problem:

1. Which is in your mind its called token based authentication, provide some key to identify user, few things you should keep in mind while doing the same
a. Its should not be a static token
b. Do some IP level check
c. Is there any kind of session sharing?

2. Session based check, as you are building a web application what ever device is going to hit your application it will create a session so you could hold your required information in session
a. Session resides at server end so it will increase load a server end
b. Session tempering is quite easy so be CAREFUL

3. OpenAuth based or Cookie based, create you authentication service centralized, consume it from all modes of application, once authenticated you will porvide some kind of AuthToken, which will be transmitted every time
a. As you using cookie you should use secure cookie
b. Don't use plain text use encrypted text

Now choice is yours, there are many other aspects it vary situation to substitution