Azure移动服务和Web API身份验证

Question

I'm developing a Web API and was looking to use Azure Mobile Services to authenticate users before allowing calls made to the Web API.

So the user would navigate to a website, choose to log in using their Google/Facebook/etc account and the user would be authenticated using the Mobile Services JavaScript client. From what I understand Mobile Services will then return a authentication token in the form of a JSON Web Token.

What I would like to do is when website calls the Web API it would pass along the authentication token, the Web API would check that it's a valid token issued by Mobile Services and if all is good, then allow the call to be executed.

So my question is...is this possible? If so, could the JSON Web Token Handler for .NET be used to perform the validation on the Web API side?

Answer 1

Yes, that is possible.

If you perform a login using the MobileServiceClient, you will get a token that you can pass along with every request to a Web Api endpoint.

var client = new WindowsAzure.MobileServiceClient('https://yourservice.azure-mobile.net', 'your-client-key');
client.login('facebook').then(success);

function success(result) {
    alert('login ok');
}

So when making a request, set the value of header 'X-ZUMO-AUTH' to the current users token you find in client.currentUser.mobileServiceAuthenticationToken after a successful login.

On the server side, add the attribute [AuthorizeLevel(AuthorizationLevel.User)] to Web Api methods that require the user to be authenticated. Thats all.

But make sure, that identity is configured properly on WAMS, and also at the provider side you want to integrate (client id's, client secrets, callback urls, etc.).