User Tools

Site Tools


dev:app_authentication_example

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
dev:app_authentication_example [2016/04/18 15:57] sudev:app_authentication_example [2017/11/21 16:46] (current) su
Line 2: Line 2:
  
 All Apps must authenticate through the App Store OAuth2 Authorization Server. All Apps must authenticate through the App Store OAuth2 Authorization Server.
 +
 +[https://tools.ietf.org/html/rfc6749|OAuth 2.0) is an IETF specification that allows 3rd party applications to gain limited access to an HTTP service on behalf of a user.
 +
 +OAuth is used extensively on the web already: if you have ever logged into a 3rd party web site using your Facebook, Google, or LinkedIn account, you have already used OAuth.  Indeed, the App Store allows users to log in via LinkedIn, and then requests information such as a user's name, email address and profile picture to allow it to create a profile for the user, likewise with ADFS , and with Google accounts.
 +
 +The App Store also has its own OAuth service, to allow applications such as the Valve Signature Tool to log users in via the App Store, and to allow those applications to charge users for application usage.
  
 Below is a simple example illustrating the [[https://tools.ietf.org/html/rfc6749#section-4.1|Authorization Code Grant Flow]] recommended for Web-Server Apps. Note the process is different for Excel, browser-based and other types of App. Below is a simple example illustrating the [[https://tools.ietf.org/html/rfc6749#section-4.1|Authorization Code Grant Flow]] recommended for Web-Server Apps. Note the process is different for Excel, browser-based and other types of App.
Line 8: Line 14:
  
  
-=== 1. Registering your Web App ===+==== 1. Registering your Web App ===
 + 
 +In order to use the App Store OAuth service, an application must be registered with the App Store. 
  
-== 1.1 Redirect URIs ==+=== 1.1 Redirect URIs ===
  
-When registering your App, you will be asked to provide one or more valid Redirect URIs. The Authorization Server will only respond to HTTP requests from registered URIs. This helps prevent [[https://en.wikipedia.org/wiki/Man-in-the-middle_attack|Man-in-the-Middle attacks]].+When registering your App, you are asked to provide one or more valid Redirect URIs. The Authorization Server will only respond to HTTP requests from registered URIs. This helps prevent [[https://en.wikipedia.org/wiki/Man-in-the-middle_attack|Man-in-the-Middle attacks]].
  
 Since the HTTP request carries secure information, we also stipulate all requests are from secure HTTPS sources. Since the HTTP request carries secure information, we also stipulate all requests are from secure HTTPS sources.
  
  
-== 1.2 Application Id and Secret Key ==+=== 1.2 Application Id and Secret Key ===
  
 Upon App registration, you are assigned an Application Id and Secret Key. The Application Id is considered public information. It composes part of the URL request to the App Store Authorization Server and can easily be identified by the user. Upon App registration, you are assigned an Application Id and Secret Key. The Application Id is considered public information. It composes part of the URL request to the App Store Authorization Server and can easily be identified by the user.
Line 23: Line 31:
 The Secret Key, however, **must** remain confidential. It should only be used server-side (i.e not in the web-browsing client). If a deployed app cannot keep the secret confidential, then an alternative grant flow must be considered. The Secret Key, however, **must** remain confidential. It should only be used server-side (i.e not in the web-browsing client). If a deployed app cannot keep the secret confidential, then an alternative grant flow must be considered.
  
-== 1.3 Application Status ==+=== 1.3 Application Status ===
  
 Your registered App is given a status. Be sure this is not active until you are satisfied it is fully tested. Once an App is "Active" attempts debit requests are treated as genuine and transactions are processed. Your registered App is given a status. Be sure this is not active until you are satisfied it is fully tested. Once an App is "Active" attempts debit requests are treated as genuine and transactions are processed.
  
 +=== 1.4 Scopes ===
  
-=== 2. Authorization ===+OAuth permissions are known as scopes, and are used to control which information about a user an application can access, or restrict the actions that the application can perform on behalf of a user. 
 + 
 +When a user is prompted to log into a web site via an OAuth service, the scopes are explained to the user so that they can decide whether or not to proceed.  For example, when logging into the App Store via LinkedIn, a user is informed that the App Store will be able to access profile information including the user's email address, profile picture, and the industry that they work in. 
 + 
 +The App Store's OAuth service currently supports 3 scopes: 
 + 
 +   * **UserInfo** - used to allow an application to access information about a user 
 +   * **AccountDebit** - used to allow an application to bill a user for usage 
 +   * **DataRead** - used to allow an application to access a user's App Store Connect data 
 + 
 +Applications are not obliged to ask for access to all of the above scopes; they can pick and choose the scopes that they require. 
 + 
 + 
 +==== 2. Authorization ====
  
 In your App, create a "Log In" link sending the user to: In your App, create a "Log In" link sending the user to:
Line 75: Line 97:
 </code> </code>
  
-=== 3. Authenticated Requests ===+==== 3. Authenticated Requests ===
 + 
 +Now that you have an access token, you can make requests to the App Store API. 
 + 
 +=== 3.1 Access Tokens === 
 + 
 +When an application logs a user in via an OAuth service, they receive an access token for the user, also known as a bearer token, as well as information about when the access token expires, and (possibly) a refresh token that can be used to retrieve a new access token when the old one expires, instead of requiring the user to explicitly log into the application again. 
 + 
 +The token contains embedded information about the user, and is signed and encrypted by the OAuth service so that only the machine that issued the token can authenticate requests made using the token.  When an HTTP request is authenticated using a bearer token, a `ClaimsIdentity` object is assigned to the OWIN request object that contains all of the claims that were embedded in the token. 
 + 
 +To authenticate requests made to the App Store API, the calling application must include a valid access token in the HTTP headers of the request.  The token is specified using the `Authorization` HTTP request header, using the `Bearer` authentication scheme.  For example:
  
-Now that you have an access token, you can make requests to the App Store API. You can make an API request using cURL as follows: 
  
 <code> <code>
  
-curl -H "Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia"+var request = new HttpRequestMessage(HttpMethod.Get, "https://appstore.intelligentplant.com/api/resource/getuserinfo"); 
-https://appstore.intelligentplant.com/api/Resource/GetUserInfo+request.Authorization = new AuthenticationHeaderValue("Bearer", "my_access_token"); 
 + 
 +var response = await httpClient.SendAsync(request, someCancellationToken).ConfigureAwait(false); 
 +...
  
 </code> </code>
  
        
dev/app_authentication_example.1460995035.txt.gz · Last modified: 2016/04/18 15:57 by su