I am writing a server used ASP.NET Web Api template and implementing rest services. This server will be a backend for a mobile game where it will store the users' highscores, progress, and other information. I have taken a look at a number of approaches (this, this, and this) and I am having trouble deciding what approach to use. In my case I would like to prevent fraud of scores primarily since each user account will contain limited info (outside of their email). Here is what would ideally be happening.
I'm having trouble narrowing down what type of authentication (no browser login screens and such) and authorization methods to use. Any help would be greatly appreciated.
-Tamas
Even if you are using basic authentication you will want to use HTTPS. If you are using HTTPS then you can use client certificates to verify the client also. Only clients with a valid certificate will be given access. If you are not opening up this API to other consumers and it will only be used by a client developed by you, you may to want to consider WS-Security and WCF. There is a entertaining description of the differences using naked motorcycle drivers as a metaphor here.
If it's from different client/devices, something like token based authentication might work for you.
The idea is simple, you have Authentication method in yours Web service. This method is responsible for checking credential and issuing of 'Token'. Some simple structure like SHA1 or MD5 string which all further client calls are using.
If client is authenticated it stores the token for whole duration of session. The rest of Web service methods, like SaveScore just accepting token as parameter. They then responsible to check is it valid or not. If token is not valid the call is not being served.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With