Menu
I'm designing a web site that will have a mobile companion (initally iPhone only). The web site will be an ASP.Net MVC 3 application. I'll also have an ASP.Net Web API site (MVC 4) to expose services to the iPhone application. The iPhone app will have its own form to capture username and password from the user and send that to the web API in JSON headers.
I want to consider security from the start rather than an after thought. I'm not a security expert by any means. I've done a good deal of research to see how other's are handling authentication of a mobile application client from a web service. I think I've come up with a decent solution that doesn't involve hooking into to third party oAuths.
I would greatly appreciate any and all opinions, advice, criticism and general WTFs that any of you can offer. :)
My biggest concerns are:
The iPhone app will be developed as such:
Two strings are hard-coded into the iPhone app (same values for every user):
Two strings are stored in the iPhone app's local database (values unique to each user):
The iPhone will make calls to the web API in the following manner:
API Method: Create Account
Client Sends:
API Returns:
API Method: Get Account
(Used for getting user's hashing salt for accounts that were created on the web site but haven't yet been synced on the iPhone. This happens when a user tries to log in on the iPhone and iPhone detects that it has no record for that username.)
Client Sends:
API Returns:
API Method: Log In (Authenticate)
Client Sends:
API Returns:
API Method: Any Command (i.e. Create Post, Update Profile, Get Messages, etc...)
Client Sends:
833
Web API assumes that authentication happens in the host. For web-hosting, the host is IIS, which uses HTTP modules for authentication. You can configure your project to use any of the authentication modules built in to IIS or ASP.NET, or write your own HTTP module to perform custom authentication.
Authentication is the process of determining a user's identity. Authorization is the process of determining whether a user has access to a resource. In ASP.NET Core, authentication is handled by the authentication service, IAuthenticationService, which is used by authentication middleware.
There are four ways to authenticate when calling a web API: API key authentication. Basic authentication. OAuth 2.0 Client Credentials Grant.
To use this article with Configure authentication in a sample web app that calls a web API, replace the sample web app with your own web app. This article focuses on the web application project. For instructions on how to create the web API, see the ToDo list web API sample.
Authentication In Web API. ASP.NET Authentication is used to protect our applications and websites from unauthorized access and also restrict users from accessing information from tools like postman and fiddler.
When a user needs to be authenticated, Forms Authentication will redirect them to your desktop login page, regardless of whether they're a desktop or mobile user (because it only has a concept of one login URL).
RESTful APIs can help make your mobile app more reliable, portable, simplified, and visible. Mobile APIs can enhance the core features of an app, like GPS data and databases. This will improve the experience on each mobile device of end users.
I did it using asp.net mvc 4.0/web api basic membership. you may find it helpful.
Yeah, Use SSL for sure
https://github.com/aamir-poswal/Mobile-Apps-Authentication-Authorization-ASP.NET-WEB-MVC-4.0
114
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
