Menu
Building a website that also will require an API and therefore (possibly) OAuth support for login I'm in doubt how to approach he user and authentication-part.
So I've got an ASP.NET MC4 application with RavenDB.
What is the best approach?
To use one of the Membership providers for RavenDB and deal with the Oauth separately in the API part? Ex. Griffin's solution here.
Or to make a custom solution that kind of re-implements the membership-crap and supports OAuth.
I'm not really sure where to start, any suggestions on how to do this is appreciated.
926
OAuth is an open standard for authorization. OAuth provides client applications a "secure delegated access" to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials (from the Wikipedia).
OAuth is a token based authorization mechanism for REST Web API. You develop the authorization with the API only once up until the expiration time of the token. The generated token is then used each time the REST Web API is called, saving an authorization step every time the REST Web API is called.
Using OAuth 2.0, it is possible for the application to access the user's data without the disclosure of the user's credentials to the application. The API will grant access only when it receives a valid access token from the application.
** Clicky-click for da GitHub project **
IMO, forget storing usernames and passwords. That's crazy talk! Let people login with their Facebook, Google or Twitter credentials. That's the 80%'s for the common websites.
Authentication and storing the credentials are two different tasks IMO. For example, I don't care where you authenticate against .. and once you do .. I don't care how you store that data :)
Personally, I would store it in a RavenDb .. but that's my personal choice.
As such -> keeping these two tasks SEPARATE is (IMO) crucial.
So lets look at some codez ....
public ActionResult AuthenticateCallback(string providerKey)
{
// SNIP SNIP SNIP SNIP
var model = new AuthenticateCallbackViewModel();
try
{
// SNIP SNIP SNIP SNIP
// Complete the authentication process by retrieving the UserInformation from the provider.
model.AuthenticatedClient = _authenticationService.CheckCallback(providerKey, Request.Params, state.ToString());
// Create a new user account or update an existing account.
// Whatever you end up doing, this is the part u want to
// pass this data to your repository (eg. RavenDb, Sql Server, etc)
// I'll use RavenDb in this example...
// And yes .. this is a contrite example. U might want to check for
// existing email or id or whatever u need to do, etc.
var myUser = Mapper.Map(model.AuthenticatedClient);
session.Store(myUser);
session.SaveChanges();
// SNIP SNIP SNIP SNIP
}
catch (Exception exception)
{
model.Exception = exception;
}
return View(model);
}
So lets look at what I've done. I've snipped out any verbose stuff (value checks, etc) which are just noise in this SO answer.
First, I handle the Authenticate callback. Eg. I've just gone to Facebook and it's said 'yes! you ARE you' .. and it's coming back to my website, with some data i've asked it to give me.
Next... we are given some data from Facebook .. but this might not be in the format we want to put it into, in RavenDb. So i convert it from the old format to a new shiney User class which is what you'll stick in your Db.
Third - I store this in the Db. This is where you would do any custom DB logic
that's it.
M O D U L A R I Z E T H A T S H I T
The.End.
Now excuse me .. there's a few hours left before The Apocalypse. I must prepare myself.
107
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
