I am aware this is the most basic question and is asked many times, however I have failed to find relevant details for my requirement.
I am developing ASP.Net as front end and using ASP.Net Web API service. I am planning to use Basic Auth using SSL.
Could someone help me with below:
In future, I plan to have multiple clients including Android, iOS and Windows phone client. Any issues using Basic Auth over SSL?
Please help me confirm if below is right implementation approach.
I will write new Controller - AccountController in ASP.net Web API and use this controller for methods: Login, Logout and RegisterNewUser. All of them will be POST methods.
What should be code inside Login API apart from verifying user from database. Also should login method return any object to client?
Any reference which will help me understand client side of code, which will send authorization token on every web api request? Note: I am heavily using jqGrid with CRUD operation, which will make API requests.
There are no problems using Basic Authentication using these clients as far as I know. I have tested this scenario with Android myself.
I have just successfully implemented Basic Auth using this link as a resource:
http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-message-handlers
/Rune
1) There's no problem using SSL and Basic Auth together.
2/3/4) That would be a valid approach, though I'd recommend that you create a new MVC project and look at the generated code in the AccountController.cs file. This will give you some guidance on how to code these actions.
Related
I'm developing a system with my classmate, he created a self-hosted API using WPF, while I'm on the mobile part. I already get the data using GetAsync and Post data using Post Async, What I want now is Login Authentication to our system.
Here is the Web API I'm talking about.
What I want is to use this as my API for authentication, But whenever I search for this topic, all of the results are Azure, WCF, ASP.Net.
I know that my friend uses ASP nugget to create API while searching so far on this topic. Theirs always using those 3 and the codes for validation is in the ASP, WCF or Azure.
I also don't get the concept of a token and I guess I don't need it on the self-hosted API.
This is the best example of what I'm talking about:
http://www.c-sharpcorner.com/article/xamarin-android-create-login-with-web-api-using-azure-sql-server-part-one/
http://www.c-sharpcorner.com/article/xamarin-android-create-login-with-web-api-using-azure-sql-server-part-two/
These two set of tutorials are very helpful, but I'm not aiming for this thing. I just want a simple authentication using the API on the picture.
It's just a simple school work, I'm the beginner in mobile development and c#.
Thanks in advance for viewing my POST :)
While your question is waaaaaay to broad for a single answer on Stack Overflow, here are some pointers for you. Don't overthink things and keep it simple.
I think the easiest way to tackle your problem is to issue a token for your mobile app. This can be any type of token if you don't really care about security.
So in your app, you present the user with a username/password dialog. Pressing a login button:
you hit your API sending that username and password
API checks whether username and password is in database or a valid combination
generates a token if OK and sends as response and saves that token in database
then when hitting other urls in your API from mobile app, you need to provide the token as header or query string parameter
This is probably the simplest form of authentication you can do.
I am working on combination of Web API application and desktop client program (WPF). I am using Microsoft.AspNet.WebApi.Client for a client-server HTTP communication and now I want to use authorization / authentication system of the server application to authorize user of the client program.
Point is, I want to use (=start with) the same HttpClient class, I would like to use ASP.NET Identity library on server side - call controller with credentials in HTTP header, receive actual token from server, keep it and than use it for authentication in other controllers where it is required.
I know the theory, some basic steps, but I have not found any useful and actual resource with a simple examples or tutorial how to do it well. Does anyone know about good resource to learn, how to do that?
Thanks a lot.
I need to create a website in asp.net, where user registrations required and also need to create a WebApi code for mobile app users.
Currently user registration is created in asp.net Webform, and login works fine(used basic authenication), but when I tries to login using WebApi code
it shows error 400 bad request(token based authentication), all parameters passed are correct.
Is this happens because I used basic authentication in Webform ?
Do I need to use basic authentication in WebApi also? if yes then how does it work for login?
Please help.
I would use the same authentication model for both use cases. So to implement basic authentication in WebApi there is a good article from Mike Wasson. You can find the source code here. It's too much to copy it here.
Create your own [BasicAuthentication] Attribute and add it to your controller classes. I would not use cookies, instead send your credentials every time you call the Api within the Authentication-Header of your HTTP call. But make sure you use HTTPS!
And to answer your question about mobile apps: Yes of course, adding an authentication header is possible within any mobile application. Same advice here about using HTTPS...
You should be able to use the same basic auth for webapi that you use for webforms (both cookie based).
I'm having trouble getting the authentication portion working, particularly the external authentication. I'm using a client project to call my API, which then handles all the OAuth processing.
My issue is that once you authenticate through Facebook, it wants to redirect to my API url, and that redirect url has the access_code needed for authorization of subsequent API calls from the client. Is there a best practice for dealing with this situation? For instance, should I parse the access_code out of the url and somehow send it back to the client project?
Searching for how to handle this yields me vague results. Most everything I come across leads back to one of two links:
This is helpful understanding the high level concept
This implies that you should just dig around in the SPA template and figure it out on your own
neither of which really help me out much in a "how-to" sense.
The client project I'm ultimately working with is a Xamarin project, so I'm looking for C# or Xamarin library code how-tos in particular. If anyone can help, I'd appreciate it.
We are starting a project which will consist in:
Web project (ASP.NET MVC)
IOS app
and both will consume data from a .NET WEB API service.
The WEB API service will expose a POST Method with the url "user/create". But i don't know how can i avoid another apps for making post to this url? I know i need a security protocol, but i wanted to know which one you recommend me, and if you have, an article where is it explained.
Thanks
web api 2 provides oauth authentication. You will need to get a token from the token end point of web api and pass that token in subsequent requests.
You should find lot of online resources if you search for web api 2 oauth.
We did something similar recently using OWIN OAuth 2.0 Authorization Server
Reference this ASP.NET page for details. Sample code is included as well for several different implementations.
For our purposes, we used the Client Credentials Grant section about half-way down the page. Our implementation involved server-server OAuth (Web API to MVC), but I bet it's pretty similar to have iOS connect. The only thing I would caution is to somehow encrypt the login credentials on the iOS side, and I'm sure there is a way to do that.
So you want the WebAPI to only be used by the MVC page? The best architectural method is to separate the two rather than leave both in one project. Why? Because the MVC app is a experience layer for humans. The WebAPI is an experience layer for the MVC app. Move it back where it can't be accessed.
You can add on tokens, etc, but the MVC app sits on the server, but is accessed on the client computer. The wider the scope of the application (ie, intranet or internet or something in between?), the more difficult the problem and the harder it is for your users to access the application. Moving the WebAPI internal and leaving the MVC app exposed guarantees external users cannot use the API.
The main reason WebAPI and MVC exist together in a single project (still a mistake in most instances, IMO) is you are exposing both to the same audience. If that is not your intent, don't do it.