Securing my REST API with OAuth while still allowing authentication via third party OAuth providers (using DotNetOpenAuth)

by

First I’d like to emphasize the difference between authentication and authorization:

A user authenticates to your web site by supplying some credential such as a username+password. OpenID allows this to be displaced by having the user authenticate to another service, which then asserts the user’s identity to your web site on the user’s behalf. Your site trusts the third party service (the OpenID Provider) and therefore considers the user logged in.

A service or application does not authenticate to your web site — at least not typically. A user authorizes a service or application to access the user’s data. This is typically done by the application requesting authorization of the service provider, then sending the user to the service provider, where the user first authenticates (so the service provider knows who its talking to) and then the user says to the site “yes, it’s ok for [application] to access my data [in some restricted way]”. From then on, the application uses an authorization token to access the user data on the service provider site. Note that the application does not authenticate itself as if it were the user, but it uses another code to assure the service that it is authorized to access a particular user’s data.

So with that distinction clarified, you can make decisions on your site about authentication and authorization completely independently. For instance, if you want your users to be able to log in with all of: username+password, OpenID, and Facebook, you can do that. A completely orthogonal decision is how you authorize applications (there are many protocols you can use for this, OAuth of course being quite popular).

OpenID is focused on user authentication. OAuth is focused on application authorization. However, a few services such as Facebook and Twitter have chosen to use OAuth for authentication and authorization instead of using OpenID for authentication and OAuth for authorization.

Now for your own project, I strongly recommend you check out the ASP.NET MVC 2 OpenID web site (C#) project template available from the VS Gallery. Out of the box it comes with OpenID authentication and OAuth Service Provider support. This means your users can log in with OpenID, and 3rd party applications and services can use OAuth to make API calls to your web site and access user data.

What it sounds like you’d want to add to this project template once you get going is the ability for your users to log in with username+password as well as OpenID. Also, if you want Facebook and Twitter to be an option for your users you must implement that as well since they don’t use the OpenID standard. But the DotNetOpenAuth download includes samples for logging in with Twitter and Facebook so you have some guidance there.

I suspect you won’t have much if anything to do on the authorization front. It comes with OAuth as I said before, and that will probably suffice for you.

More Related Contents:

  1. Setting Authorization Header of HttpClient
  2. What’s the difference between OpenID and OAuth?
  3. Get user info via Google API
  4. How is OAuth 2 different from OAuth 1?
  5. Can I really not ship open source with Client ID? [closed]
  6. How to validate an OAuth 2.0 access token for a resource server?
  7. Security of REST authentication schemes
  8. What is the difference between the OAuth Authorization Code and Implicit workflows? When to use each one?
  9. How to use OAuth2RestTemplate?
  10. What is the OAuth 2.0 Bearer Token exactly?
  11. What is the difference between Google Identity Toolkit, Google OAuth, Firebase Auth and Google+ sign in
  12. OAuth 2.0: Benefits and use cases — why?
  13. What is the purpose of the implicit grant authorization type in OAuth 2?
  14. Difference between OAuth 2.0 “state” and OpenID “nonce” parameter? Why state could not be reused?
  15. How to get Uri.EscapeDataString to comply with RFC 3986
  16. Spring OAuth redirect_uri not using https
  17. Disable checkboxes on Google consent screen
  18. What exactly is OAuth (Open Authorization)?
  19. How to secure RESTful web services?
  20. REST API for website which uses Facebook for authentication
  21. OpenID: Trying to Get Email Address from Google OP
  22. Twitter API – Logout
  23. JWT (Json Web Token) Audience “aud” versus Client_Id – What’s the difference?
  24. Where can I find a list of OpenID Provider URLs? [closed]
  25. OAuth 2.0 with Google Analytics API v3
  26. gapi.auth.signOut(); not working I’m lost
  27. Google API OAuth2, Service Account, “error” : “invalid_grant”
  28. LinkedIn OAuth2: “Unable to verify access token”
  29. Netsuite OAuth Not Working
  30. OAuth Authorization vs Authentication

Leave a Comment