I have a WinRT app that is going to interact with a WebAPI service on my server backed by an Entity Framework managed SQL database (MVC - ASP.NET). For security, I'm only allowing users authenticated on the WinRT side with the Microsoft Live Connect SDK to interact with the WebAPI service. I already have the login code for authenticating with the Live Connect SDK on the WinRT app side working. The WebAPI service is running in the context of an MVC Web Role running on my Azure hosted server.
I've done a lot of reading on StackOverflow and there's a wide range of documents on the topics of authentication, OData, OAuth, Azure Mobile Services, WebAPI and how to combine them:
Live Connect Authentication Token for use on Azure Mobile Services (REST)
How to use a MVC WebAPI OData endpoint securely?
Disable Windows Authentication for WebAPI
I am very concerned that I choose the tools/path that implements only what I need to implement the above scenario and in a secure manner. My main attack concern is un-authenticated users trying to access the ApiController and performing harmful Puts or Deletes. Some questions:
Do I need Azure Mobile Services at all?
What tool(s) do I use or configuration changes do I need to make to manage/pass the Live Connect token between the WinRT app and the service?
Is there a template or NuGet package that I should use that automates much of this?
Is there a document that addresses my scenario or one close to it?
Is there anything built-in to Entity Framework that can help, or conversely has a vulnerability I need to address? If so, what?
What changes do I need to make to the server configuration (web.config)?