Last post Apr 01, 2019 12:11 PM by mgebhard
Apr 01, 2019 11:10 AM|Maor.Busk|LINK
Apr 01, 2019 11:33 AM|mgebhard|LINK
<div>1. What is the best pratice for implementing authentication layer?</div> <div>I already authenticate at the API, should i authenticate at the MVC application too?</div> <div>And isn't is too much?</div>
It depends on your requirements. It is very common to secure a web application with username/password. ASP.NET Identity is an API and data store for handling user accounts.
<div>2. After authenticating with the API, how do i keep the authenticated user</div> <div>that was authenticated at the API also appear in the MVC? like session storage?</div>
Since the applications are under the same domain, Identity would secure both applications using an Auth Cookie.
<div>What is a better practice? the Ajax approach since it is so popular and common?</div> <div>or the backend approach?</div>
<div>Also, there are things like validatind the model in MVC, how that happens if all data</div> <div>comes from the API?</div>
Model validation works the same in Web API as it does in MVC. Although Web API does not have UI.
<div>Does that make Ajax a less preferred approach?</div>
Apr 01, 2019 11:47 AM|Maor.Busk|LINK
Apr 01, 2019 12:11 PM|mgebhard|LINK
<div>When you request your Facebook home page you're actuaclly calling</div> <div>an MVC controller i believe but before that you also request the login</div> <div>page using the login controller and provide your credentials to the UI.</div> <div>So my question
is how many requests are being done here? 1 or 2 ?</div> <div>Since i believe Facebook is not just an MVC application, and it also</div> <div>has some backend service as we know graph API of Facebook that can accessed</div> <div>without using the web browser.</div>
<div>So what is being done here? one request the the MVC controller to get the viee and</div> <div>another to the API to get the data to populate the view??</div>
It depends on how you built the application. Facebook auth uses OAuth so your site redirects to Facebook passing a name and secret. The user logs in and Facebook redirects the user's browser back to your site along with a token. Your site caches the token
in an auth cookie which is used to authorize the user agent.
<div>I also mentioned that the 2 projects do not sit under the same domain, they each</div> <div>have a different url, like Facebook has management url, authnetication url, and graph url and more.</div> <div>So there is an issue of remoteness.</div>
I misread your response. I use a central token server to (OAuth/OIDC) to secure remote resources.
<div>And last, the model validation question, that the exact issue, the service is remotely</div> <div>consumed and the entity framework model is in the web api project, and its is being referenced.</div> <div>but there are many questions about that as far
as approach at least.</div>
Model validation fires when the input data is bound to the type. The general approach is checking if the model is valid. Return a 400 if the model is invalid. You can also return a 400 with a message. These fundamentals are covered in the Getting Started