Last post Jun 09, 2016 09:02 AM by kazim85
Jun 08, 2016 11:35 AM|kazim85|LINK
We have planned to implement authentication in our API using OAUTH. For this purpose I read so many articles on web to explore it. After read these articles what I am understanding is
To authenticate our api user needs to pass the following parameters.
What I am thinking is to pass these values via request headers. Problem is that these request headers can easily be viewed in browser console and someone can misused it easily. Please suggest Is this the right way to authenticate api or we used something
else for this purpose?
Jun 09, 2016 08:13 AM|Chris Zhao|LINK
A token is a piece of data which is created by a server, and which contains enough data to identify a particular user. The process starts by allowing users to enter their username and password which accessing a service. Once the user provides the username/password,
a token is issued which allows users to fetch a specific resource - without using their username and password every time. This token is sent to the server with each request made by the client and contains all necessary information to validate a user’s request.
Token Based Authentication Using ASP.Net Web API, OWIN and Identity With Entity Framework
Token Based Authentication in Web API 2
Jun 09, 2016 09:02 AM|kazim85|LINK
Thanks for your reply. But I am still confused. Most of the article I read about oauth says that this authorization process will be at service provider end like google. When the user wants to access their data at client application. They have been first
redirected to authorization server and if authenticated successfully an access token will be generated at server end and sent back to the client. Am I correct?
My boss don't want me to redirect to service provider website for authentication. In his opinion all this authentication process should limit to client application. This means I only need to pass client information like (authorization token, client app id,
employeeid) to the api and if authentication passed successfully, api will sent back access token for further processing. He also wants that this information should not be visible in browser console because this is secret information and someone can hijack
it. I wanted to ask that first of all whether this is the right way if yes how could I achieved this?