1

I need suggestions for authentication between these three applications (web, API, mobile).

Use Case

  • I have .Net Core Web API which works with basic authentication (i.e. username and password in header).
  • I need to consume that API in my .Net Core Web App and Xamarin mobile app.
  • I want to integrate security model between all three applications.

Problem Statements

  • I don't have knowledge about how the same authentication can work for Web App and API.
  • I don't want to use any third-party authentication provider. I would like to have my users in database only.
  • What is best way to secure my API?
  • Once I secure my Web API, How about authentication on Web App and Mobile App?

I know this is a broad question but simplest answer/way will help me to decide further path. I have enough knowledge about authentication like AD, OAuth, Open Connect, JWT But honestly not sure how to use it in my scenario.

Improve this question

1 Answer 1

Reset to default
1

A simple way to do it would be have your API work with JWT and connect to a database holding your users info. You'd have a route that receives username and password and returns a token. For all the authenticated routes, the request needs this token on the header. For the clients (Web App and Xamarin), you'd store the received token as a cookie and send it together on every API call.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Thanks. but end user can easily grab token from cookie and can send separate request to API.
Sure. If the user has a token, it means the user was successfully authenticated, which means it's fine for your user to see data from the API. If you want your user to not see everything, now it's a permission problem, not authentication. If you're worried about someone sniffing the cookie, use SSL.
Agree, thanks! Initially I will implement this logic. For better security, can you suggest more secure way?
To enhance security, you may have an expiration date on the cookie. After some time (say 1 hour), the user has to provide credentials again. It mitigates damage if the token was compromised (which is unlikely using SSL).
How about for web app, do the cookie way, and for mobile app, use the token? Any major difference?

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.