7

I am writing a server used ASP.NET Web Api template and implementing rest services. This server will be a backend for a mobile game where it will store the users' highscores, progress, and other information. I have taken a look at a number of approaches (this, this, and this) and I am having trouble deciding what approach to use. In my case I would like to prevent fraud of scores primarily since each user account will contain limited info (outside of their email). Here is what would ideally be happening.

  1. User opens app for the first time
  2. User is given option for custom username and this is checked by server so there aren't duplicates
  3. User is given a randomly generated six-digit pin number (so they can use the same account on different phones)
  4. User enters email address
  5. New user is created on server (server verifies that the account was created by a valid instance of my client application)
  6. User plays game, uploads results (Via basic authentication?)
  7. User can view global results (no security on GET methods that aren't user specific)

I'm having trouble narrowing down what type of authentication (no browser login screens and such) and authorization methods to use. Any help would be greatly appreciated.

-Tamas

Community
  • 1
  • 1
tamaslnagy
  • 431
  • 1
  • 7
  • 16
  • Perhaps basic authenication would be enough in this case? But I'm still unsure how to make sure that someone is accessing the rest api through a valid client. – tamaslnagy Apr 10 '12 at 18:44

2 Answers2

5

Even if you are using basic authentication you will want to use HTTPS. If you are using HTTPS then you can use client certificates to verify the client also. Only clients with a valid certificate will be given access. If you are not opening up this API to other consumers and it will only be used by a client developed by you, you may to want to consider WS-Security and WCF. There is a entertaining description of the differences using naked motorcycle drivers as a metaphor here.

Kevin Junghans
  • 17,475
  • 4
  • 45
  • 62
  • I will be using multiple languages (Java, Obj-C, and C#/.NET) so I don't know if the ws-security/wcf method would work. Is the client certificate method cross-platform? – tamaslnagy Apr 10 '12 at 21:15
  • If it will be cross-platform I would recommend sticking with REST. The client certificate is cross-platform. – Kevin Junghans Apr 11 '12 at 12:09
  • Sounds good. I'll look into it. Also, I never understood how the initial registration took place with the basic authentication system, that is, when the entered username and password are not yet in the server database. – tamaslnagy Apr 11 '12 at 14:19
  • The server should return an HTTP 401 error code, which means "Unauthorized". – Kevin Junghans Apr 11 '12 at 17:03
  • Indeed, but how would I go about actually authorizing a new user who wants to join my service? – tamaslnagy Apr 11 '12 at 19:24
  • You need to add a message handler to your http configuration that implements a custom authentication handler. There are examples and source code you can use in this open source project http://identitymodel.codeplex.com/. – Kevin Junghans Apr 11 '12 at 19:52
  • I have decided to go with ServiceStack instead of Web Api because it seems a bit more robust and provides more features. Thanks for your help. – tamaslnagy Apr 14 '12 at 23:44
1

If it's from different client/devices, something like token based authentication might work for you.

The idea is simple, you have Authentication method in yours Web service. This method is responsible for checking credential and issuing of 'Token'. Some simple structure like SHA1 or MD5 string which all further client calls are using.

If client is authenticated it stores the token for whole duration of session. The rest of Web service methods, like SaveScore just accepting token as parameter. They then responsible to check is it valid or not. If token is not valid the call is not being served.

Alexander Beletsky
  • 19,453
  • 9
  • 63
  • 86