2

I have created a Web API application, an MVC application, and a mobile application.

The Web API should be decoupled from the other two applications as much as possible. I'm using the Password Grant flow here: clients using the Web API needs to send a POST to /Token with username and password. The returned access token is then used for further calls to the API using standard Authorization: Bearer <access_token>.

The MVC application is only accessible for a select few users, and it has its own database which contains the information and roles of these users. Some parts of the MVC application should be restricted to only one or two users (for example), while other parts should be accessible for all registered users. This can be done by using Authorize attributes on the specific controllers within the MVC application - all good. Furthermore, the MVC application should be able to interact with the Web API.

Secondly, I want to have a mobile application to be able to interact with the Web API. A key point here is that I won't require users to register in the app. So essentially, (how it's in my head right now) the only thing the API would see is "this token belongs to the "AndroidApp" user and has password X - sure thing, you're known to me, I'll grant you access". This seems to me a bit 'insecure', meaning that all users of the mobile app will share the same auth credentials.

Questions:

  • User A is one of the users who are allowed to access the MVC application - I want him to be recognized by both the MVC app, and thereafter the Web API. Is there an easy way to synchronize data between two databases, or should I just register him in both databases (one for MVC, one for API)? There is probably a better third option I haven't thought about.
  • User B is a user of the mobile application, and he should not be able to access the MVC application. How can this be ensured? Obviously, the MVC user database won't have any info about mobile app users. I'm just wondering about the security aspect of just having one single pair of auth credentials embedded in the app - doesn't sound good to me.

I stumbled upon this question, which basically is the same as mine. But I don't really see the need for Authorization Code Grant flow for the web app (MVC application in my case) as the accepted answer suggests.

I hope my questions make sense, otherwise please let me know :)

Community
  • 1
  • 1
gosr
  • 4,593
  • 9
  • 46
  • 82
  • Perhaps identityserver is something for you. Take a look at this: http://docs.identityserver.io/en/dev/index.html The documentation is written for asp.net core, but you could use idsrv3. –  Feb 11 '17 at 21:51
  • You need to get in your idea concept of Roles and not just authorization. Your apps would have different client ids. Based on that, you can put different claims in the tokens. Then, the attribute can check for claims presence to see if this token belongs to mobile app or MVC app. – zaitsman Feb 12 '17 at 01:12

1 Answers1

0

My answer doesn't directly answer your question but rather offers an alternative.

In the past when developing similar solutions I've used a specialist third party identity service Auth0.

With Auth0 you can have different application keys, profiles and also create rules (webhooks) which are executed as part of the authentication pipeline. They offer a range of social login as well as AD integration. They offer free and paid pricing.

I am not affiliated with Auth0 in any way, but will use their service as the starting point for any projects going forward - Yes it's a really impressive service!

Kane
  • 16,471
  • 11
  • 61
  • 86