0

Authenticate to Webapi, using oauth provider (FB etc) client side only (HTML5 /JS phone app).

This is a tricky one, So I can authenticate to our webapi using a username and password, using js from a HTML client, passing username & password as parameters over HTTPS we can set the user to authorised so they can access additional controller(s) for DB updates etc, so far so good bear with me.

I can authenticate to FB, using MVC and set the user to authorised.

I can do the same with HTML & JS client side (hooray), now how would I then authorise the controller, OK I get the users email from FB, so what, anyone could pass that. Suppose I could redirect to a MVC page (from the client) and then set auth on the controller(s) that way, but that's just not good (sending the user out the app, or a pop window).

What's the best method to authenticate the user from the client and authorise webapi controllers at the same time securely, do I have to re-direct the user to a mvc page and do it that way, how are other's handling this for phone apps / phone gap / intel xdk ?

fuzzybear
  • 2,325
  • 3
  • 23
  • 45
  • So if i get the access token from the JS api http://stackoverflow.com/questions/6126517/retrieve-access-token-using-javascript-api and send that over HTTPS to webpai, and use FB graph – fuzzybear May 20 '14 at 01:01
  • cough....that took longer than five mins.....So if I get the access token from the JS send that over HTTPS to webapi,then send that over to FB graph https://graph.facebook.com/me?access_token=YOUR_ACCESS_TOKEN, from within web api, then authorise the controller((s) is that secure, maybe...? – fuzzybear May 20 '14 at 01:09
  • Authentication can only be preformed server side, you only ever authenticate your identity with a server. You come into issues with cross browser scripting. Also, it's not safe. – Jason Foglia May 20 '14 at 01:32
  • You can authenticate server side and make request server side to the API and send the response back to the browser. – Jason Foglia May 20 '14 at 01:33
  • so how is it done is cross platform apps XDK / Phonegap ? – fuzzybear May 20 '14 at 01:34
  • PhoneGap and I'm assuming XDK are wrappers, it is a real app that is more like a browser for your HTML/HTML5 app. It's purpose is to give you access to the phones underlining features that you can't always obtain via HTML5. – Jason Foglia May 20 '14 at 01:36
  • so why would facebook return the access token then in JS? PS the JS fB SDK authenticates client side only! – fuzzybear May 20 '14 at 01:43
  • I'm not familiar with the FB api. – Jason Foglia May 20 '14 at 01:47

1 Answers1

0

The method apparently is, example facebook, but process is the same for any oauth provider , obtain access token by getting user to sign in/on. Verify Token is genuine using server API (in FB's case graph API) Client is happily logged in, until access token expires. On expire(2 hours is the default), redirect user to login again, app is known it should authenticate without signing in again, unless user has revoked authorisation on your app.

here's a link on how to handle expire access token (examples are PHP)

Not exactly elegant, but it is what it is, and I thought It was only for super geeks!

Sorry to answer my own question

fuzzybear
  • 2,325
  • 3
  • 23
  • 45