I am making a restful api using mvc 4, but I am in doubt how I am supposed to do authorize correctly.
I want to be able to make a single post where I login to the api, then all my GETs should have a [Authorize] attribute and without sending a login object with each GET request I should be able to GET just by supplying an ID or similar, but how am I supposed
to do this, and is it even remotely the correct way to do it?
If a user logs into the browser based application with traditional means (forms or windows) then any Ajax calls from the browser will also send the same token used for authentication (cookie or AuthZ header), so any WebApi calls will be seen as from the
same user. So you should be able to apply your [Authorize] attribute to enforce authorization.
Ok, so in this case you have more work to do. Is the authentication based upon the end user or are you just doing app-to-app communication?
If it's an end user, the easiest solution is using Basic auth, but that's only if the phone app is from the same company as the server app (meaning the app is highly trusted from a user's perspective). The server would just then enable basic auth in IIS
and you should be all set. The client app would then prompt for credentials and set them into the HTTP header.
The more elaborate solution it to look into OAuth2 (especially if the phone app is not from the same company as the WebApi app) -- this is where the industry is moving for protecting an end user's credentials and still allowing a user to grant an app access
to their resources.
I am trying to create a small turnbased multiplayer game and the website API would be the "middle" man containing all game sessions. So for example a user should be able to do api/gamename/games and get a list back with all the games he is participating
in.
Also the website is on a cheap host where I dont have access to the IIS, is it then not possible to do basic auth? (I know its hard to do ssl as well)
use IIS basic authorization IIS (or als digest authorization if your phone supports it...just try). If you do this users are transformed into windows user automatically by IIS.This means you must have a window user for each user of the phone application.
Then you have to select windows authentication in the config file of your mvc application. Obviously users authenticate with their windows credentials.
If you don't like this(putting users in your windows domain) you have to use forms authentications that doesn't use the Html standared autherization protocols. It work on phones exactly the same way as for desktopo devices.
So if you can't use IIS' basic auth, invent your own -- you can still prompt for credentials and send those as the Authorization HTTP header. You would then do that processing on the server, probably as a
message handler. In the message handler validate the credentials and then create a principal and assign it to the Thread.CurrentPrincipal (and in the HttpContext.User and in the RequestMessage object). Then with this plumbing your WebApi actions can use
[Authorize].
If it goes live we will use SSL, but this is just in the testing phase
But from what I can see then the http basic header sends the username and password with each get/post request? then I dont need a login feature I suppose
If it goes live we will use SSL, but this is just in the testing phase
Oh yea, for testing... no worries. I just meant once you deploy "for real".
Mech0z
But from what I can see then the http basic header sends the username and password with each get/post request? then I dont need a login feature I suppose
Yes they're sent on every request, but you need to somehow know the username/password and presumably you'd have to ask the user for those.
Ok I will use that for now, but I suppose that limits me to not be able to put a [Autherize] ontop of the GET methods, I will have to autherize them in each GET method.
Mech0z
Member
34 Points
40 Posts
How do I return authorization data with mvc 4 api to a phone app?
Apr 28, 2012 01:38 PM|LINK
I am making a restful api using mvc 4, but I am in doubt how I am supposed to do authorize correctly.
I want to be able to make a single post where I login to the api, then all my GETs should have a [Authorize] attribute and without sending a login object with each GET request I should be able to GET just by supplying an ID or similar, but how am I supposed to do this, and is it even remotely the correct way to do it?
BrockAllen
All-Star
27522 Points
4901 Posts
MVP
Re: How do I return authorization data with mvc 4 api to a phone app?
Apr 28, 2012 01:41 PM|LINK
If a user logs into the browser based application with traditional means (forms or windows) then any Ajax calls from the browser will also send the same token used for authentication (cookie or AuthZ header), so any WebApi calls will be seen as from the same user. So you should be able to apply your [Authorize] attribute to enforce authorization.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
Mech0z
Member
34 Points
40 Posts
Re: How do I return authorization data with mvc 4 api to a phone app?
Apr 28, 2012 01:53 PM|LINK
But I am accessing the api through a phone, can I return an auth header to the phone somehow?
BrockAllen
All-Star
27522 Points
4901 Posts
MVP
Re: How do I return authorization data with mvc 4 api to a phone app?
Apr 28, 2012 02:09 PM|LINK
Ok, so in this case you have more work to do. Is the authentication based upon the end user or are you just doing app-to-app communication?
If it's an end user, the easiest solution is using Basic auth, but that's only if the phone app is from the same company as the server app (meaning the app is highly trusted from a user's perspective). The server would just then enable basic auth in IIS and you should be all set. The client app would then prompt for credentials and set them into the HTTP header.
The more elaborate solution it to look into OAuth2 (especially if the phone app is not from the same company as the WebApi app) -- this is where the industry is moving for protecting an end user's credentials and still allowing a user to grant an app access to their resources.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
Mech0z
Member
34 Points
40 Posts
Re: How do I return authorization data with mvc 4 api to a phone app?
Apr 28, 2012 02:16 PM|LINK
I am trying to create a small turnbased multiplayer game and the website API would be the "middle" man containing all game sessions. So for example a user should be able to do api/gamename/games and get a list back with all the games he is participating in.
Also the website is on a cheap host where I dont have access to the IIS, is it then not possible to do basic auth? (I know its hard to do ssl as well)
francesco ab...
All-Star
20912 Points
3279 Posts
Re: How do I return authorization data with mvc 4 api to a phone app?
Apr 28, 2012 02:20 PM|LINK
use IIS basic authorization IIS (or als digest authorization if your phone supports it...just try). If you do this users are transformed into windows user automatically by IIS.This means you must have a window user for each user of the phone application. Then you have to select windows authentication in the config file of your mvc application. Obviously users authenticate with their windows credentials.
If you don't like this(putting users in your windows domain) you have to use forms authentications that doesn't use the Html standared autherization protocols. It work on phones exactly the same way as for desktopo devices.
Mvc Controls Toolkit | Data Moving Plug-in Videos
BrockAllen
All-Star
27522 Points
4901 Posts
MVP
Re: How do I return authorization data with mvc 4 api to a phone app?
Apr 28, 2012 02:23 PM|LINK
So if you can't use IIS' basic auth, invent your own -- you can still prompt for credentials and send those as the Authorization HTTP header. You would then do that processing on the server, probably as a message handler. In the message handler validate the credentials and then create a principal and assign it to the Thread.CurrentPrincipal (and in the HttpContext.User and in the RequestMessage object). Then with this plumbing your WebApi actions can use [Authorize].
None of this is useful if you don't use SSL, tho :) I know you're just building a game, but look what happened to this guy.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
Mech0z
Member
34 Points
40 Posts
Re: How do I return authorization data with mvc 4 api to a phone app?
Apr 28, 2012 02:30 PM|LINK
If it goes live we will use SSL, but this is just in the testing phase
But from what I can see then the http basic header sends the username and password with each get/post request? then I dont need a login feature I suppose
BrockAllen
All-Star
27522 Points
4901 Posts
MVP
Re: How do I return authorization data with mvc 4 api to a phone app?
Apr 28, 2012 02:34 PM|LINK
Oh yea, for testing... no worries. I just meant once you deploy "for real".
Yes they're sent on every request, but you need to somehow know the username/password and presumably you'd have to ask the user for those.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
Mech0z
Member
34 Points
40 Posts
Re: How do I return authorization data with mvc 4 api to a phone app?
Apr 28, 2012 02:48 PM|LINK
Ok I will use that for now, but I suppose that limits me to not be able to put a [Autherize] ontop of the GET methods, I will have to autherize them in each GET method.