10

I'm mildly familiar with DotNetOpenAuth and OAuth in general, but in terms of Web API development, what is the best way to lock down a web service in terms of the following criteria:

  • Ease of implementation
  • Interoperability/compatibility with end-user facing platforms (iOS, Android, Win Phone, Flex...)
  • Whether or not it is clearly standards-based (like OAuth for example)

Thanks!

j0k
  • 22,600
  • 28
  • 79
  • 90
tacos_tacos_tacos
  • 10,277
  • 11
  • 73
  • 126

3 Answers3

5

please take a look here: OAuth 2.0 in Web API

Inside the WebApiContrib project there are also Basic Authentication samples which is straight forward but it should not be used without SSL.

Alexander Zeitler
  • 11,919
  • 11
  • 81
  • 124
  • 4
    Ok so that is helpful, but here is my question: how do I act as "Facebook" in the example provided? The article assumes that you want to use an external OAuth cred provider. I want to build both the cred provider and the web service here. – tacos_tacos_tacos Oct 13 '11 at 14:45
3

The DotNetOpenAuth .zip download includes a sample WCF service that is protected by OAuth.

Andrew Arnott
  • 80,040
  • 26
  • 132
  • 171
  • I just downloaded your samples. I appreciate so many samples, but I'm a little confused by all of the project names and terminology. Is there a specific sample which demonstrates using Oauth2 to provide an oauth token yourself instead of using a known openid provider (like google)? – Adam May 05 '12 at 19:00
  • 1
    The `OAuthResourceServer` sample demonstrates using an OAuth 2 access token for authorization. The `OAuthAuthorizationServer` sample demonstrates the issuing of these access tokens. The fact that the authorization server uses OpenID to log the user in is orthogonal to the OAuth flow and you can replace it with anything you want. – Andrew Arnott May 08 '12 at 00:25
0

There are a couple of wcf web api implementation to handle authentication on internet. I have done one as well @ http://misaxionsoftware.wordpress.com/2011/07/29/secure-restful-web-service-by-wcf-web-api-no-https-seriously/

Note: code is based on Preview 3, some class name has changed in Preview 5.

The idea of implementation is ensure secured communication without SSL.

It's easy to construct. The function is transparent to your service because all the work is done in message handler. You don't bother to call the authenticate function in your service method.

Compatible with end-point where RSA encryption is supported.

Standards-based, hmm... Standards varies from case to case...

misaxi
  • 568
  • 2
  • 10