0

In asp.net web api, when you want to secure a action or REST endpoint, you use authentication, like token-based solutions. But, what if there is mobile app client for the api, and this have a sign up form, so I want only this mobile app could send Sign-Up request to my API, and prevent other fake clients (like POST-Man or a-alike) to send request to sign-up api?

Best

Babak Fakhriloo
  • 2,076
  • 4
  • 44
  • 80
  • 2
    So you want to authenticate the mobile app... without authentication? :) (If I understand the question correctly, what you want to achieve is not possible. You give users the client, which is the mobile app, and you expect that nobody can create one that's similar, when they already have it. HTTP requests are just pieces of data that anyone can forge and send.) What is the context for this requirement? Why do you want to restrict sign-up to your mobile app? From what threat are you protecting your application? Answering these may help with coming up with a solution that actually would work. – Gabor Lengyel Sep 12 '16 at 13:57
  • @lengyelg I dont want other client be able to send request to my api. Something like preventing cross-forgery attack, that in MVC app, using cookies you prevent others form posting data out-side of the web app. – Babak Fakhriloo Sep 12 '16 at 14:15
  • Yeah, the problem is that csrf protections depend on browser features, and also csrf protections don't stop another type of browser from accessing your application, and essentially that's the analogy to what you're trying to achieve here. What you're saying in the web world is that you made a browser, and it's a web application, but you only want your browser to be able to access it. – Gabor Lengyel Sep 12 '16 at 14:23
  • When I mentioned csrf, I just wanted to clear it that I want something similar in functionality not exact way asp.net MVC uses. – Babak Fakhriloo Sep 12 '16 at 17:25
  • I'm still struggling to understand why you want this. What is the problem with different clients making requests? I think this may be the root cause of your false requirements. – Gabor Lengyel Sep 12 '16 at 17:29
  • Take a look this question @lengyelg, if my response does not seem clear just to you. http://stackoverflow.com/questions/21465559/restrict-api-requests-to-only-my-own-mobile-app, I hoped there would be a solution recently for the problem. – Babak Fakhriloo Sep 12 '16 at 17:39
  • Ok, again and for the last time, what you want is impossible. But that is no problem, because this is a wrong requirement, I'm fairly confident that you don't really need this. As it is technically impossible, and still any website/app/whatever can be reasonably secure, you can deduce that this requirement is not necessary. Without letting us know the context and why you want to achieve this (why it is a problem if others can make a different client if they want), I don't think we can help more. – Gabor Lengyel Sep 12 '16 at 17:46
  • @lengyelg thanks for your time. I hope someday there would be a way for this. But If you read the similar question I mentioned, somebody suggested slowing down request from Suspicious IPs. – Babak Fakhriloo Sep 12 '16 at 17:56

1 Answers1

1

this is exactly the scenario covered by token based systems.

Your mobile app simply becomes a client with its own identifying data, then the API does its thing and only accepts requests from authenticated applications. This is exactly the kind of scenario you can cover with your own OAuth2 system.

Have a look at this article : https://eidand.com/2015/03/28/authorization-system-with-owin-web-api-json-web-tokens/

It will guarantee that only your mobile app can access that API.

Is this what you are after?

Andrei Dragotoniu
  • 6,155
  • 3
  • 18
  • 32
  • Still anybody can create a different app that does the same. My understanding of the question was that he wants his app to be the only one that can talk to the API, which is the wrong requirement, that's why I tried to ask what the real endgoal is. But of course your answer is correct in the sense that it should probably be done that way. – Gabor Lengyel Sep 12 '16 at 17:05
  • So, any client who can send request and fake itself as my mobile app can request token. I dont want fake app/clients to send requests. Unless I use a fixed token for all my apss, and only accept that token for sign-up request. What do you think ? – Babak Fakhriloo Sep 12 '16 at 17:27
  • That token could be extracted from your app and used in another if somebody wanted. As it's given to users, you can't protect it. – Gabor Lengyel Sep 12 '16 at 17:28