I'm implementing some WebApi to upload/convert/return videos.
Another developer will implement a PhoneGap application that will call my WebApi to upload/convert/show videos to users.
The PhoneGap application uses OpenId to allow users to login using google and facebook.
My problem is that I want to make sure the client that is calling my WebApi has been logged in on the PhoneGap app using google or facebook.
I know that all I need is the client to send me a token in the request header that I can "extract" on the web api to validate the user. My question is how can my WebApi know what is the token that has been generated by openId (google/fb) on the PhoneGap app?
Well I am also searching into this and what I have got so far i will share with you in following steps:-
1) Whenever user call my login page I will create the token in response header to make sure that request is coming from legitimate user. just like antiforgery token in mvc.
2) Then upon successful login i will create the authentication cookie and set the current user context value this will Authorize the user and generate another token as mentioned above.
3)Then after this i will use normal Authorise, Roles attribute provided by WEBApi.
Let me know what you think? I am more than happy to contribute.
Another approach is when user login create a hashed token and add it to response header and create custom attribute which grab that token and check it against the database. The problem with this approach is that you will be hammering ur database all the time.
来源:https://stackoverflow.com/questions/22607996/secure-web-api-called-by-phonegap-application