nr: #1 dodano: 2016-12-31 09:12
Basically, what you are asking for is called the Bearer Token Flow which is described in detail here.
As seen from Figure 1 in section 1.3, once the client has authenticated successfully, an Access Token is granted from the Authorization Server. This token is then used for requesting resources by your Resource Server (your API). To do so, you need to include the token in recourse requests. The ways of doing so is described in section two.
Once you have received an access token, you will also optionally receive a refresh token. The refresh token should be used going forward to retrieve new access tokens once these expire or are invalidated. The refresh tokens are valid until access has been revoked or by 14 days as a default.
Although, as mentioned in my original answer, refresh tokens aren't yet supported in
Xamarin.Auth, but a well-defined blog post has defined how to support them.
Now, if any issues should occur once you try to request a resource, you'll get an
error_code from the Resource Server depending on the issue at hand as seen in section 3.1.
As for instance, when the token is expired, the status code will be
invalid_token. In this case, the user would need to re-authenticate if you are not using refresh tokens. If you are, and the refresh token is still valid, a new access token would be provided, and life would go on as normal.
As a last note, the Access Token Reponse includes an optional field called
expires_in. You can use this field to know when an access token expires.
1) how would my Web API will know it has authenticated and now should
allow to access the endpoints?
As seen here, once
auth.Completed is invoked and
IsAuthenticated, you know that the user is authenticated using the given Identity Provider.
2) should i still need the Token Authentication mechanism in place for my app and API to communicated securely?
Yes. Once you get a token back from the Identity Provider, you should use that for going forward as it includes the privileges and identity of the user without exposing the username and password directly. You can read more about that here.
3) can i use the same token created by external authentication service
and store in database and use it to communicate between ? If so how
would i encounter situation where token is not valid?
Yes. In fact, as stated above, this is what you should do. You can use JWT to validate the token given from an Identity Provider to validate the token against your own API.
Although, going forward, you should use a refresh token.
These may although not yet be supported by
Xamarin.Auth. If you find they are not, here is an excellent guide for how to handle the situation.