Click here to Skip to main content
15,940,550 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
Hi,

I am working on a distributed application with ASP.net Web-API based REST services hosted on azure as Cloud Services.

These services are consumed by a variety of client applications ( ex. Web applications (SPA), Other web services, native application on mobile devices).

Our Rest Web Service (RWS) has a number of actions, some are secure with Authorization and other are open, as in some are only allowed for authentic user while others are not. As users are verified with FORM authentication, this system works well so far with SSL in place.

Hopefully description above sets the required context enough for me to come to the problem statement now.

Problem Statement: I am now in need to identify and authorize client application as well.
i.e. Somehow, in some way, web services would identify and authorize known client applications only to request for any resource or to authorize users.

Assume:
1) Azure web service has a action URI like "https://www.somedomain/api/somecontroller/someaction"

2) a mobile app "my-mobile-app", published by me, consumes this URI. i want to allow "my-mobile-app" to consume URI by identifying/authorizing it.
I know "my-mobile-app", i love it. I identify/authorize this client application first and then allow it to attempt the end-user authentication.

3) another mobile app "blah-mobile-app", published by someone else, somehow knows this URI and attempts to consume this URI. I DO NOT want to allow it to consume this URI. i want to just close door on it's face. Nada. zip. i won't entertain this client application to make any request for resources.


A quick potential solution which comes to mind is: to give a predefined KEY to client application and then to use a HTTP Handler to intercept incoming calls for presence of this KEY to identify and authorize client. but would really appreciate a better more manageable approach for this problem as i may have to extend this solution to all possible clients. and who knows may need similar solutions on other web service projects as well.

Let me know if additional information is needed or any section of question is not clear.
Posted
Updated 7-Oct-15 0:48am
v2
Comments
Sinisa Hajnal 7-Oct-15 4:58am    
More manageable solution would be to make app name or app code part of the parameters / URL. I wouldn't do it that way, but it is possible :)

Explored OAuth 2.0 and found my solitude in there.

for my particular problem, Client Credential Grant was the Answer, however realized that with all the supported options, implicit grant would solve other problems i was having with authenticating users and thus applications on mobile devices as well. thanks for recommendations.

For anyone looking for answer here, my recommendation is to have a hard look at OAuth2.0 or other similar options.
 
Share this answer
 
Hi Omni,

There are several ways to solve this problem:

1. Which is in your mind its called token based authentication, provide some key to identify user, few things you should keep in mind while doing the same
a. Its should not be a static token
b. Do some IP level check
c. Is there any kind of session sharing?

2. Session based check, as you are building a web application what ever device is going to hit your application it will create a session so you could hold your required information in session
a. Session resides at server end so it will increase load a server end
b. Session tempering is quite easy so be CAREFUL

3. OpenAuth based or Cookie based, create you authentication service centralized, consume it from all modes of application, once authenticated you will porvide some kind of AuthToken, which will be transmitted every time
a. As you using cookie you should use secure cookie
b. Don't use plain text use encrypted text

Now choice is yours, there are many other aspects it vary situation to substitution
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900