0

I'm building a web app tool that allows a user to do some actions using their GitHub account (view their private repos, etc). It's built on ASP .NET MVC5 using the Octokit library for GitHub access. In version 0.0 of the tool (the learn-how-OAuth-works stage), the website follows the OAuth flow as detailed in this blog post which has the user sign in to GitHub which then provides me with a token. I store the token in Session["OAuthToken"], load all the data that it needs from GitHub, and then provide all the data to my view using a model.

Now that the data that needs to be loaded is growing in size and could start becoming more dynamic, I'd like to switch this design to load the data after the page is provided to the user. The workflow would look a little bit like:

  1. User is not logged into GitHub. App gives the user link to GitHub authentication page
  2. After logging in, OAuthToken is saved and user gets redirected back to first page
  3. Now that user is logged in, webpage provided to user is bare-bones HTML with JavaScript but no data
  4. JavaScript (likely Angular) makes asynchronous calls to the server (WebApi) requesting various pieces of data
  5. Server calls GitHub API for the requested data using the user's OAuthToken and provides it back to the webpage
  6. JavaScript renders the data

What I don't understand about this workflow is how I can safely authenticate that the user is making valid calls to WebApi for the data. The server has a OAuthToken to use, but my understanding is that its unsafe to provide that to the user to use in its calls. However, without it, how can the WebApi endpoint tell that the request that it's receiving should use this particular OAuthToken.

The website doesn't have any other form of login, and I'd love to keep it that way. But even if it did have its own login, I think I would still have the same problem. A logged in user accesses a page and subsequent JavaScript calls from the page need to be authenticated with some piece of information included in the request.

What are my options? Can the JavaScript calls to WebApi be connected to whatever MVC uses to determine Session["OAuthToken"] as that value seems to be persistent in subsequent page views? Can I set the OAuthToken in a cookie and access it that way? If it helps, the web app uses HTTPS everywhere, but I'd also like to know if there's a solution that works without HTTPS.

Thanks for your help.

user779860
  • 665
  • 1
  • 7
  • 15
  • possible duplicate of [Accessing Session Using ASP.NET Web API](http://stackoverflow.com/questions/9594229/accessing-session-using-asp-net-web-api) – mason Jul 15 '15 at 18:20
  • Your question really has nothing to do with OAuth or GitHub. You have a lot here in your question, you should edit it down to the basics, ex: "What do I need to associate Web API calls with a particular Session"? – mason Jul 15 '15 at 18:20

0 Answers0