1

I'm building a WebAPI project using ASP.NET 5/CoreCLR. I have implemented Identity 3 and that works fine. I plan to allow users to use the WebAPI from either a browser or an app (mobile, or third-party like Kodi or foobar2000).

I want to allow "administrative" account tasks (changing password, deleting stuff, etc..) only from the browser and not from the third-parties. The apps should have access only to a restricted amount of controllers or actions. On top of that, I'd like to make it easier for users to authenticate themselves. I don't want them to put their login and password in an app (since these credentials allow to do administrative tasks on their account). Ideally I'd like to add a "third party app" authentication. Since the actions won't be sensitive, I was thinking of providing the ability to generate "API Keys" which would be short.

I'm thinking of a workflow where users would go to their Account page from the browser, click "Generate Third-Party Credentials", and get a 6 or 8 characters-long string to use from the third-party app. I might apply some HMAC later on.

What I'm wondering is what would be the 'proper' (conceptually) way to implement that on top of Identity 3. Is it possible, for instance, to create an identity Claim tied to a user?

Astaar
  • 5,858
  • 8
  • 40
  • 57
  • What you are asking here, it to design your whole authentication scenario. I would recommend to first try to do it and then ask us more specific questions. This question is way too broad to be able to answer in a simple way. – Maxime Rouiller Nov 13 '15 at 13:36
  • Yes and no. I'm mostly asking for pointers on how to do it in the way Microsoft intended. Any documentation or blog article talking about extending Identity 3 would be welcome. – Astaar Nov 13 '15 at 15:58
  • I would recommend doing a `File > New Project` with the `beta8` tooling. Then if you need a custom SSO, check out IdentityServer. This link might also help: http://www.jerriepelser.com/blog/introduction-to-aspnet5-generic-oauth-provider – Maxime Rouiller Nov 13 '15 at 16:04

1 Answers1

0

Maybe you can use two separate account one for human-user and second for app-user ? Than you can use Claims-Based Authorization.

I'm thinking of a workflow where users would go to their Account page from the browser, click "Generate Third-Party Credentials"

Under this action you can create second account for app and link them with user-account using Claims.

For your app it will be two different account for Authentication/Authorisation but from user perspective it can be one account.

After that you have clear and simply to use solution using ASP.NET5 Authorization.

Lukasz Mk
  • 7,000
  • 2
  • 27
  • 41