stackoom
  简体   繁体   中英

What is the correct approach for authentication/authorization Native Android App using Thinktecture IdentityServer3

 原文  2016-03-14 11:43:24       c#/ android/ asp.net/ openid-connect/ identityserver3

Question

I develop a native android application that done it's authentication, authorization, getting resources using WebApi backend.

After many discussions about what is the best and secure way to implement authentication and authorization using .NET technologies we decided to use Thinktecture's IdentityServer3 .

Before i was follow this series to implement a token based authentication using Asp.NET Identity system, every thing was OK but after investigations i decide to decouple the authentication server and using Thinktecture's Identity Server.

So now i have a separated web apps hosted on azure one for resources and other for authentication using IdentityServer3 and one native Android client .

My Android client application having an authentication using Facebook/Google, and i already implemented this before on android using Parse or separatly based on Facebook Android SDK & Google services

Also Users having roles.

Now i want to know if there is a correct approach for doing that from the authentication server perspective and also client android application perspective as there are many discussions about the configurations of identityserver3 with native apps also should i use a webview activity in android to handle connection with authentication server or using native java code with HTTP library like retrofit to send request and get response.

Also with Facebook, i already implemented authentication directly from android app using Facebook Android SDK and i can get the AuthToken and the approach that i think about is like shown in this question :

  1. Authenticate user to Facebook from Android application.
  2. Get the FB auth token to the android app.
  3. Forward the authentication token & facebook UID from Android to web server.
  4. On web server, make Facebook API call with the submitted token.

If the Facebook API call from web server returns valid authentication, and the user id is equal to the one submitted by Android application, your server can trust the id (& you can be sure that the Android authentication real)

Or should i depend only on backend identityserver to handle Facebook authentication?

1 answers

solution1
 0  2016-03-14 16:36:36

you can use the hybrid flow (if you need access tokens and refresh tokens) , also You could use the implicit flow

just have alook at this topic

and about how can you do it, Either, you can do it by doing a combination of web views and hybrid/implicit flow, or do the redirect style to the IdSvr login page. Using resource owner password flow

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Using Kentor + Windows Authentication on IdentityServer3 Using Thinktecture IdentityServer3 with SessionAuthenticationModule/WSFederationAuthenticationModule throws ID4175 error Local account and option for Azure AD authentication using IdentityServer3 ThinkTecture IdentityServer3 vs Microsoft.Owin.Security.OAuth2 Thinktecture IdentityServer v3, hybrid flow - is it possible to implement single sign-on with valid authentication but wrong authorization IdentityServer3 with Windows Authentication fails with redirect to IdpReplyUrl Authenticating swagger with identityserver3 using .net 4.5 WebAPI Authorization Attribute not being called with IdentityServer3 Bearer Token IdentityServer shows blank PostLogoutRedirectUri for Android Native App What is the relationship between Roles on the Authorize tag and IdentityServer3 client setup
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM