Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Authentication and authorization using REST and ASP.NET Web Api from cross-platform mobile applications

I am writing a server used ASP.NET Web Api template and implementing rest services. This server will be a backend for a mobile game where it will store the users' highscores, progress, and other information. I have taken a look at a number of approaches (this, this, and this) and I am having trouble deciding what approach to use. In my case I would like to prevent fraud of scores primarily since each user account will contain limited info (outside of their email). Here is what would ideally be happening.

  1. User opens app for the first time
  2. User is given option for custom username and this is checked by server so there aren't duplicates
  3. User is given a randomly generated six-digit pin number (so they can use the same account on different phones)
  4. User enters email address
  5. New user is created on server (server verifies that the account was created by a valid instance of my client application)
  6. User plays game, uploads results (Via basic authentication?)
  7. User can view global results (no security on GET methods that aren't user specific)

I'm having trouble narrowing down what type of authentication (no browser login screens and such) and authorization methods to use. Any help would be greatly appreciated.

-Tamas

like image 464
tamaslnagy Avatar asked Apr 10 '12 18:04

tamaslnagy


2 Answers

Even if you are using basic authentication you will want to use HTTPS. If you are using HTTPS then you can use client certificates to verify the client also. Only clients with a valid certificate will be given access. If you are not opening up this API to other consumers and it will only be used by a client developed by you, you may to want to consider WS-Security and WCF. There is a entertaining description of the differences using naked motorcycle drivers as a metaphor here.

like image 164
Kevin Junghans Avatar answered Oct 08 '22 16:10

Kevin Junghans


If it's from different client/devices, something like token based authentication might work for you.

The idea is simple, you have Authentication method in yours Web service. This method is responsible for checking credential and issuing of 'Token'. Some simple structure like SHA1 or MD5 string which all further client calls are using.

If client is authenticated it stores the token for whole duration of session. The rest of Web service methods, like SaveScore just accepting token as parameter. They then responsible to check is it valid or not. If token is not valid the call is not being served.

like image 26
Alexander Beletsky Avatar answered Oct 08 '22 15:10

Alexander Beletsky