3

I am writing an API to be used by both my JavaScript app (same domain, API is at api.example.com and site at example.com and 3rd party developers (mobile, desktop, etc). Now I want to use OAuth but I have no idea how the workflow is when using both OAuth and using my application with the same origin policy.

How do I authenticate the user in my web app? When I send the username and password, can I check if the request came from my domain and then return the token? The token will be stored in a cookie and sent back to the server on every request. So there are 2 parts:

  1. If the request came from my domain, just check for token else throw HTTP exception.
  2. If not my domain, do OAuth authentication.

Is this possible? How do I go about setting this up in asp.net web API? (mainly the part about checking if the request is in the same domain)

arserbin3
  • 6,010
  • 8
  • 36
  • 52
Shawn Mclean
  • 56,733
  • 95
  • 279
  • 406

1 Answers1

2

I am guessing that to log into your web app you're not using OAuth, but simply accept username and password and start a session? If so you don't really have to bother with OAuth for your own site.

Set up the session cookie to be valid across *.example.com and you should be able to validate that cookie both on site.example.com and api.example.com.

Example:

  1. Request comes in to api.example.com/verify_credentials.json
  2. Serve response if OAuth validation is successful.
  3. If not, attempt Cookie validation - serve if successful
  4. Return 402 Unauthorized if both fail.

Here's a thread about sharing a cookie across sub domains: ASP.NET Subdomain Cookie (parent and one subdomain)

Community
  • 1
  • 1
Jon Nylander
  • 8,743
  • 5
  • 34
  • 45