Windows Phone 8 development & WebAPI - authentication through auth forms?

Question

Windows Phone 8 development & WebAPI - authentication through auth forms?

I am creating an API with a WebAPI that will accept authentication information over SSL via HTTPS from a web browser client. The web browser uses form authentication and requires HTTPS so that it can safely send username / password to the API endpoint. My API uses Websecurity.Login () and Websecurity.Logout () to authenticate to the web client.

How will this be handled in a WP8 / universal application built using WinJS? Can I do the same - send login / registration credentials via HTTPS and use Websecurity to handle auth forms?

Here's how my WebAPI is currently configured for auth:

public HttpResponseMessage LogIn(LoginModel model) { if (ModelState.IsValid) { if (User.Identity.IsAuthenticated) { return Request.CreateResponse(HttpStatusCode.Conflict, "already logged in."); } if (WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe)) { FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe); return Request.CreateResponse(HttpStatusCode.OK, "logged in successfully"); } else { return new HttpResponseMessage(HttpStatusCode.Unauthorized); } } // If we got this far, something failed return new HttpResponseMessage(HttpStatusCode.InternalServerError); } public HttpResponseMessage LogOut() { if (User.Identity.IsAuthenticated) { WebSecurity.Logout(); return Request.CreateResponse(HttpStatusCode.OK, "logged out successfully."); } return Request.CreateResponse(HttpStatusCode.Conflict, "already done."); }

Is this approach compatible with WP8 or other native mobile app development authentication?

+7

authentication c # asp.net-web-api windows-phone-8

Robious May 24 '14 at 5:13

source share

2 answers

I use WebApi via JS to create auth forms since with CORS

decorate controller (if you need to use CORS) (think you might need the nuget package for this).

  [EnableCors(origins: "*", headers: "*", methods: "*")]

Once you are satisfied with the credentials, set a cookie

  FormsAuthentication.SetAuthCookie

This is the Ajax page for HTML,

 $.ajax({ type: 'Post', url: 'http://' + api + '/?alloworigin=true', data: { Username: "test", Password: "test12" }, dataType: 'json', xhrFields: { withCredentials: true }, success: function(data) { var x = data; }, error: function(msg) { alert( msg.responsetext); } });

Then you can access any authenticated controller, then a cookie is sent with each request

 [Authorize]

scream if you have any questions.

Microsoft_Press_eBook_Programming_Windows_8_Apps_HTML_CSS_JavaScript_2E_PDF.pdf

http://aka.ms/611111pdf contains some information about transferring XHR using WinJS

0

saj Jun 03 '14 at 16:44

source share

Wiktor zychla · Accepted Answer · 2014-06-03T14:04:36+0000

This definitely works, assuming consecutive requests carry a cookie that is added to the very first request to the Login action.

In the case of a browser using ajax, this works out of the box since consecutive ajax requests carry all cookies issued by the same domain and added to the current browser session.

In the case of a native application, this can be more complicated because it means you need to use the same instance of the client proxy server, or you will find a way to have temporary local storage for cookies for authentication and add these cookies to each request.

However, there is a potential drawback to this request: you assume that the login method may use the username / password in the active script to create cookie forms. And it's not always that simple.

This is because your site could potentially be combined with an external identity provider (ADFS, Azure Active Directory, Google, Facebook, etc.) so that the actual authentication takes place on another website and your site receives a response, which matches the single-character protocol used (OAuth2, WS-Federation).

In this case, there really is no easy way to use a pairing username / password on the server side to get the user identity.

The workaround in this case, when the identity provider is unknown, is to place the web browser control (if possible) and allows it to execute a passive authentication script - this means that you go to the application page and allow the web browser to automatically control 302 on login page, no matter how many redirects are required. Then the user provides the credentials on the supplier’s page, and the web browser redirects everything back to your application, and there you will catch the identity on the server side, close the web browser control and somehow (depending on the actual web browser host ) read the authentication cookie so that it can be attached to further requests.

It sounds complicated, but we found some federation scenarios where the actual SSO protocols between the parties were not guaranteed, and such a simulation of a passive script from the built-in web browser was the only reliable way.

Windows Phone 8 development & WebAPI - authentication through auth forms?

More articles: