Question: Architecture Token Authentication: Web API, Xamarin and External Authentication

Question

Architecture Token Authentication: Web API, Xamarin and External Authentication

Answers 1
Added at 2016-12-31 06:12
Tags
Question

Background

I'm developing an app using Xamarin (app) and a Web API (Endpoints). The app does not implement its own authentication and it uses External Authentication (Google, Facebook, Twitter). Xamarin has something to deal with External Authentication called Xamarin.Auth.

Question

I understand how Xamarin.Auth works and how to store the access token. But I still have some questions that I didn't find answers for.

  1. How would my Web API will know it has authenticated and now should allow to access the endpoints?

  2. Should i still need the Token Authentication mechanism in place for my app and API to communicate securely?

  3. Can i use the same token created by external authentication service and store in database and use it to communicate between ? If so how would i encounter situation where token is not valid?

UPDATE 1

I still have some confusion and questions regarding the workflow, so created a diagram.

enter image description here

  1. oAuth 2.0(Google,Facebook,others).
  2. Client receives token from External Authentication.
  3. Client calls the API. At this stage how would API knows that Authentication has been done? Does client send back the token to API?
  4. If Client does send the token. How would API know it is the valid token? and When it will be expired?
  5. Can someone please explain this kind of workflow between API and Client after Authentication?
Answers
nr: #1 dodano: 2016-12-31 09:12

Updated answer

Basically, what you are asking for is called the Bearer Token Flow which is described in detail here.

As seen from Figure 1 in section 1.3, once the client has authenticated successfully, an Access Token is granted from the Authorization Server. This token is then used for requesting resources by your Resource Server (your API). To do so, you need to include the token in recourse requests. The ways of doing so is described in section two.

Once you have received an access token, you will also optionally receive a refresh token. The refresh token should be used going forward to retrieve new access tokens once these expire or are invalidated. The refresh tokens are valid until access has been revoked or by 14 days as a default. Although, as mentioned in my original answer, refresh tokens aren't yet supported in Xamarin.Auth, but a well-defined blog post has defined how to support them.

Now, if any issues should occur once you try to request a resource, you'll get an error_code from the Resource Server depending on the issue at hand as seen in section 3.1. As for instance, when the token is expired, the status code will beinvalid_token. In this case, the user would need to re-authenticate if you are not using refresh tokens. If you are, and the refresh token is still valid, a new access token would be provided, and life would go on as normal.

As a last note, the Access Token Reponse includes an optional field called expires_in. You can use this field to know when an access token expires.

Original answer

1) how would my Web API will know it has authenticated and now should allow to access the endpoints?

As seen here, once auth.Completed is invoked and AuthenticatorCompletedEventArgs is IsAuthenticated, you know that the user is authenticated using the given Identity Provider.

2) should i still need the Token Authentication mechanism in place for my app and API to communicated securely?

Yes. Once you get a token back from the Identity Provider, you should use that for going forward as it includes the privileges and identity of the user without exposing the username and password directly. You can read more about that here.

3) can i use the same token created by external authentication service and store in database and use it to communicate between ? If so how would i encounter situation where token is not valid?

Yes. In fact, as stated above, this is what you should do. You can use JWT to validate the token given from an Identity Provider to validate the token against your own API.

Although, going forward, you should use a refresh token. These may although not yet be supported by Xamarin.Auth. If you find they are not, here is an excellent guide for how to handle the situation.

Good luck!

Source Show
◀ Wstecz