OpenID + OAuth for Webapp and Desktop/Mobile application Authentication and Authorizaiton

5
votes

I'd like to use OpenID to authenticate users on my webapp -- similar to how StackExchange does it. I'd also like to enable users of my website to use my Desktop and Mobile Apps using the same account. I've read this requires OAuth (OpenID is purely website only).

What I don't know is

  • Is this the correct approach?
  • What would the workflow for this be?
  • What data do I need in my database per user/OpenID? Do I store an "account" and then when they've authenticated with OpenID, I allow them to generate an OAuth Token for the mobile app?

In an ideal world, I would be able to have buttons similar to those on https://stackoverflow.com/users/login for both my WebApp and also in my Desktop and Mobile Apps which would simply allow users to login with their google or facebook account, is that possible? Simplicity for users is paramount, because my userbase will not take well anything remotely complex.

Can I use something like DotNetOpenAuth to provide all of this functionality?

Would a better solution be to break this up and allow users to authenticate to my site with OpenID and then I provide my own OAuth scheme for my desktop and mobile clients?

3
asp.netsecurityoauthopenid

3 Answers

1
votes

Probably the simplest mechanism is to embed a web view, and simply watch for navigation to a specific callback page and grab the authentication data that way. You should still be able to use OpenID for this.

0
votes

What you should be looking into is Windows Identity Framework (WIF), it will work similarly for Web or Desktop applications using Claims-Based Identity. You would store an authorization token for each user (along with any other information you need) and you would get it in the Authorization Header of an authenticated HTTP Request. oAuth is the protocol for passing authorization requests and responses. WIF is a .NET toolkit to simplify this interaction.

For more info, check out the WIF home page and the following blog (not mine):

http://msdn.microsoft.com/en-us/security/aa570351

http://blogs.msdn.com/b/vbertocci/

0
votes

This is the workflow that I came up with, and so far I think its working well.

The user is required to authenticate to the website via third party OpenID/Facebook/etc (mobile friendly website is available). Then, in their "profile" they can generate an API "key" which they can copy/paste into their client software. It isn't 100% transparent to the user, but its pretty good.