Authentication and Authorization of Web API RRS feed

  • Question

  • I guess I have got an overall idea of how authentication and authorization works, but I appreciate if someone can provide me a bit more clarity on it. I will explain what I have understood so far, and then tell what requires clarfication.

    Scenario: I am using Individual accounts (Facebook, Google, Twitter authentication).

    Followed the following tutorials: http://www.asp.net/web-api/overview/security/external-authentication-services


    Step 1 :  Sends a request to the Facebook server with username and password.

    Step 2: Facebook server authenticates the user, and provides the user details along with a bearer token to the client.

    Step 3: The client then stores the bearer token locally and send the user details to the account api controller to register the user.

    Step 4: When the client needs to call a particular web api, it send a reqiest to with a HTTP header with bearer token attached, and the server returns the details.

    Things that need clarity:

    1. I know that Facebook does not provide us the password of the user ( neither any other services). So how does the user gets "signed in" to our app, just with a username alone. I guess i am missing some important point here.
    2. Now, when i send a request to a web api along with the barer token, how does the server know that i am the real user. I am not talking about stealing a bearer token, but what i mean is, cant i simply use this same bearer token to access someone else data.. not just my data from our server
    Wednesday, December 18, 2013 9:57 AM


  • Hi,

    To know more about this you should learn on how oAuth works.

    1. When you try to connect your application with facebook, first time you will be redirected to the facebook where you must enter your facebook credentials and submit so that facebook will validate your credentials and if it is valid it will allow your application to access your facebook data.
    2. It is like creating a handshake between your application and your facebook.
    3. Facebook returns the authorization token, which you can preserver in your application so that your can use that whenever you make subsequent request to facebook using its API.
    4. Since the authorization token returned by facebook is only for your account, you will be getting related to your account only, also any updates you make to the facebook from your application will be posted in your facebook account.
    5. The main advantage of using this is that, at any point of time your facebook password would never be visible to anyone, all the request that are sent via the fb api will carry only the tokens and not your actual password..

    some interesting article on OAuth:



    Hope this helps


    • Marked as answer by Caillen Friday, December 27, 2013 2:04 AM
    Wednesday, December 18, 2013 6:40 PM