0

I'm trying to build a mobile app that has a login functionality with an ASP.NET web api, and I need to implement the token based authentication,

what I need is, as a first time the user login using username and password, a new token will be generated with expire date along with a refresh token, I'm thinking of the refresh token because the user doesn't have to login every time the token expires,

the token is saved in the mobile device and in the database, so with each request, sends the token whether in the request header or with the posted data,

I don't exactly know how the token based authentication works in terms of sending the token encrypted or hashed to the user and processing the request in the server

Edit: an attacker in the middle can just read the token and start sending requests to the server using the token. I mean he doesn't need to know what the token actually means.

I created a class that has these properties (UserID,Token, RefreshToken, ExpiryDate), but I read that it is not a good approach,

I'm using AES for encryption and SHA256 for hash

Thank you for you help,

Ibraheem Al-Saady
  • 854
  • 3
  • 14
  • 30

2 Answers2

0

Please see the following articles in order to understand how token based authentication works in ASP.NET Web API.

  1. http://www.codeproject.com/Tips/821772/Claims-And-Token-Based-Authentication-ASP-NET-Web
  2. http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
Humayun Shabbir
  • 2,961
  • 4
  • 20
  • 33
0

Search OpenID and OpenID Connect specs, they will tell you exactly how the tokens should work in your case (non-confidential implicit client flow). You can add OpenID endpoints easily to your asp.net web api if you don't want to use an external openid server.

SweechD
  • 16
  • 1