MVC 5, Identity 2.0 Android Rest / Json Api
I have an ASP.NET MVC 5 application that uses Identity 2.0 for authentication / authorization. Now I want to provide data access in my web app to my Android app via Web Api 2.0.
My question is, how do I control authorization / authentication of access to my android application?
On Android side, I am using "org.springframework.web.client.RestTemplate" and add this HTTP header to my request:
HttpAuthentication authHeader = new HttpBasicAuthentication("username", "password");
HttpHeaders requestHeaders = new HttpHeaders();
requestHeaders.setAuthorization(authHeader);
HttpEntity<?> requestEntity = new HttpEntity<Object>(requestHeaders);
Should I just create a filter or HttpModule, parse the HTTP header and query the DB to check if an existing user exists for that?
It's clear to me how this works with the HTML / Javascript frontend. There is a cookie used after every successful login that is used for all subsequent calls, but what is the best strategy for my android app?
Update: Found these two links, but I'm not sure if I should go this way: http://springinpractice.com/2012/04/08/sending-cookies-with-resttemplate http://blog.mikepearce.net/ 2010/08/24 / cookies-and-the-restful-api /
source to share
You can, as you suggested, create a filter for your WebApi controllers to authorize and authenticate access from your client application. Here is a blog post that can help you implement such a thing.
However, I suggest using access tokens as defined by the Oauth standard . This authentication and authorization method works very well for mobile applications. You can create access tokens that support your mobile client application in the same way as cookies and client browser will. Or you can use short access tokens and long token updates. There is also nothing to prevent you from using Oauth with browser clients, giving you a single authentication implementation. Here's a great SO answer on tokens and Oauth .
Check out the IdentityServer ad unit for the following from its Github repository:
IdentityServer is a .NET / Katana-based framework and host component that enables single sign-on and access control for modern web applications and APIs using protocols such as OpenID Connect and OAuth2. It supports a wide variety of clients such as mobile, web, SPA and desktop applications and is expandable to integrate into new and existing architectures.
source to share