Authentication for REST Services

Hello everybody,

I have a WEBAPI REST Service (which is kind of a middle layer) wich authenticates on another service (WCF Service) with username and password and gets it's data from there.

Since my WebAPI is a REST Service, it is stateless. In my opinion this means that every servicecall from my Phone to the WEBAPI leads to a new authentication process from my WebAPI on the WCF-Service. Right so far?

Now how could this be done?
Do I have to send the username/password combination every time from my phone to my WebAPI, so that the webAPI can authenticate on the other WCFService?

Or is the recommended way to kind of map the authentication-token (which would not have to contain username and password then) to a username/password combination on the WebAPI Service?

I could not find a simple solution for this. Does anybody have an idea? I would need a simple example of client-side and server-side code for understanding how this could be done.

My thougts were:

  1. Send username and password from phone to WebAPI
  2. Send authentication token back to phone
  3. Call another WebApi - RESTService from phone and send authentication token in header
  4. ?? How do I validate this token on the WebAPI Service and how do I connect it to a user?

Could anyone write a simple piece of dummy-code?

Thank you very much!

Best Answers


  • RonaldKasperRonaldKasper ATMember ✭✭

    Thank you both!
    The reason why I don't use the WCF Service is that this service might be only available in the intranet of the company. My WebAPI is much simpler and hostet public, which is of course necessary for the app.

  • RobertDebaultRobertDebault USUniversity ✭✭✭

    I had a similar setup with one project so I understand your predicament. This project used some legacy systems that could not be upgraded. It was in place for a month or two for proof of concept then I replaced the Legacy services. Keep us updated I would like to know how or if you find a secure solution.

  • VictorArce.8951VictorArce.8951 MXMember ✭✭

    Im currently having the same design problem. The only thing I can think of right now, and that is to use what I have developed till now, is to send credentials (encrypted, i still have to look how to do it) to my WebAPI, then on success the WebAPI will create a unique token with an expiration time of say, 5 minutes. For this 5 minutes the Xamarin App can make API calls without auth until expiration or logout. If the token expires, then re-login, but this will be done once every n minutes which I guess its ok.

    What do you think of this?

  • BSalitaBSalita USMember

    OAuth 2 solves this problem. It's used by all the biggies (Google, Facebook, Microsoft). Is there a reason it's not being considered?

  • EidandEidand GBMember, University ✭✭✭

    You could use an owin authentication system which has everything you need.
    I am using such a system in production on a big website and I have over 100.000 signups / month through it.

    I have two articles on the subject which describe how everything works and there is full source code available on github for your perusing pleasure :

    Do let us know how it works out for you in the end.

  • RobertDebaultRobertDebault USUniversity ✭✭✭

    I just implemented a system in which I am encrypting all communications using OATH with HMAC and TLS. So far it is performing better then expected on the mobile and web applications. Now if I could just find a way to implement this security on my Netduino 3 wifi system all would be right in the world.

Sign In or Register to comment.