0

I am creating a new web application, and I plan to use Knockout Js for the front end UI and (at the moment anyway) MVC Web Api for the web services. The UI application will be a Single Page Application (SPA).

I need content to be secure for logged on users only (authentication). I intend to have different levels of content based on user roles (authorization).

I'm trying to establish the best way to carry out user authentication. I've typically used ASP.net forms authentication, but I've heard a lot about oAuth but not sure if its the best (most secure) way (I've read a lot of negatives about the oAuth 2.0 specification if not implemented correctly). I've also heard Claims authentication is a solid authentication technique.

The reason I am trying to think of other forms of authentication is for flexibility. Right now I am developing a web based application but I know we've native mobile applications to develop in the future and I want to have a single user base for all applications.

Can someone help de-mystify authentication methods for me (that work across devices) and with emphasis on how initial client authentication works, followed by suspecquent requests from the UI to the web api to retrieve data.

Thanks in advance for any advice!

Rob
  • 6,819
  • 17
  • 71
  • 131

1 Answers1

1

Well, here's my opinion.

You are using Web API, so FormsAuthentication is not good choice in my opinion. You could use OWIN to generate an authorization token (called bearer token), that will authorize the requests. The authorization token, in asp.net, are usually sent through the Headers of the HTTP Request. For instance:

$.ajax({
    url: '/api/v1/user',
    headers: {
      'Authorization': 'Bearer TOKEN_HERE'
    },
    type: 'post',
    data: someData,

});

In this way, you won't create any cookies, and all requests are stateless, following the principles of an WebAPI.

To understand more about how to generate a token, take a look at this article http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/. It uses Identity to manage the users, but it is not necessary, you could use your own implementation, like in this thread DB-First authentication confusion with ASP.NET Web API 2 + EF6

After that, you should save your token in the HTML5 localStorage (or sessionStorage), and use it whenever it is necessary.

Hope it helps!

Community
  • 1
  • 1
Fabio
  • 11,892
  • 1
  • 25
  • 41