3

I have an ASP.NET MVC 5 Application which uses Identity 2.0 for authentication/authorisation. Now I want to provide access to the data in my web application to my Android Application via Web Api 2.0.

My question is: How to control authorize/authenticate the access of my android application?

On Android side I use "org.springframework.web.client.RestTemplate" and add this HTTP header to my request:

    HttpAuthentication authHeader = new HttpBasicAuthentication("username", "password");
    HttpHeaders requestHeaders = new HttpHeaders();
    requestHeaders.setAuthorization(authHeader);
    HttpEntity<?> requestEntity = new HttpEntity<Object>(requestHeaders);

Should I just create a Filter or an HttpModule, analyse the HTTP Header there and query the DB to check if there is an existing user for that?

It is clear for me how it works on the HTML/Javascript frontend. There is a cookie used after each successful login, which is used for all subsequent calls, but what is the best strategy for my android app?

Update: Found these two links, but I'm not sure if I should go this way: http://springinpractice.com/2012/04/08/sending-cookies-with-resttemplate http://blog.mikepearce.net/2010/08/24/cookies-and-the-restful-api/

Wandering Fool
  • 2,170
  • 3
  • 18
  • 48
stefan
  • 1,336
  • 3
  • 21
  • 46

1 Answers1

3

You can, as you suggested, create a Filter for your WebApi controllers to authorize and authenticate access from your client application. Here is a blog post that may help you implement such a thing.

However, I suggest using access tokens as defined by the Oauth standard. This method of authentication and authorization is very well suited for mobile applications. You can create long life access tokens that keep your mobile client app logged in similarly to long life cookies and a browser client. Or you could use short life access tokens and long life refresh tokens. Also there is nothing stopping you from using Oauth with browser clients either, giving you a single auth implementation. Here is a great SO answer on tokens and Oauth.

Have a look at IdentityServer the following blurb is from their Github repository:

IdentityServer is a .NET/Katana-based framework and hostable component that allows implementing single sign-on and access control for modern web applications and APIs using protocols like OpenID Connect and OAuth2. It supports a wide range of clients like mobile, web, SPAs and desktop applications and is extensible to allow integration in new and existing architectures.

Community
  • 1
  • 1
Anish Patel
  • 4,332
  • 1
  • 30
  • 45
  • Many thanks, but I will definately need some time to get thru your suggestions. It sounds definately better than my approach! For sure I will not forget to mark as answer then!! – stefan Aug 02 '15 at 21:18
  • @stefan no problem buddy, glad I could help :) – Anish Patel Aug 02 '15 at 21:27
  • can you have a look at my next post? http://stackoverflow.com/questions/31891898/webapi-2-oauth2-android-client – stefan Aug 08 '15 at 11:53