3

I'm looking to restrict access to controllers/actions that represent my website's api. Only registered users who meet a certain criteria (pay accounts, not free trials) will be able to use the api. The website currently supports forms authentication with users logging in with a username/password combination or via open id.

How would have the users authenticate with the api? The api will initially be used by mobile applications (iphone, droid). My main concern is open id support with mobile apps.

My thoughts on available options are:

  1. Support both Username/password & open id - Not sure how well iphone/droid apps can support openid authentication.
  2. Only support Username/password - force OpenId users to create un/pwd for api - Bad UX for OpenId users
  3. Use an api token - This worries me for two reasons:
    1. Users would have to manually type in their api key which sucks from a UX point of view
    2. They could easily distribute/share their api key with other users and that would ruin reports/metrics.
  4. Something else that I missed?
Jim Geurts
  • 20,189
  • 23
  • 95
  • 116

3 Answers3

0

We use #1 - open id or username/password. I don't see how this is specific to asp.net or asp.net mvc though ... it seems like more of an architectural question.

Beep beep
  • 18,873
  • 12
  • 63
  • 78
0

I think it depends on how your creating your services API (REST/JSON, XML, WCF, etc..) but here are some links that will help:

ASP.NET MVC - HTTP Authentication Prompt

http://code.google.com/p/dotnetopenid/

Community
  • 1
  • 1
Carol Skelly
  • 351,302
  • 90
  • 710
  • 624
-1

I found that token based authentication worked the best.

OAuth 2 is an attractive alternative that would be supported by all mobile devices and a site that already allows multiple forms of authentication.

DotNetOpenAuth offers a .net library for working with OAuth2, among other authentication technologies.

Jim Geurts
  • 20,189
  • 23
  • 95
  • 116