C# Login to our site via other apps

[James Rose]

Hello gang,

 

Working on an idea with a friend and we will want to allow external developers to create apps and have access to our data.  One issue is user login.  I can resolve it using http://www.asp.net/web-api/overview/security/external-authentication-services  (I believe this will work for what we want) however I would like to get some basic feedback or other thoughts on routes we should or should not go.

 

I obviously don't want the other developers to have access to the user's ID and password, but what else should I think of?

 

Thanks,

James

[+LogicalApex MVC]

You would probably do best implementing OAuth. You can then allow users to accept applications without sharing login information (tokens are shared) similar to Facebook, Google, OpenID, and others.

 

Probably the best approach.

[firey]

I think (like Logical said) you are better off using a pre-existing solution.  It would be a large undertaking to write your own (though not crazy difficult, they just need to access your web service which would handle what site they are logged into, etc.  However you would need to build in a lot of security, as you can't put yourself or any websites that use it at risk.  It's a lot of work, and a lot of security work ontop.

[James Rose]

Thanks guys, I had looked at OAuth a few years ago, and after LogicApex's suggestion last night I looked at it again.  You seem to be right as this to be our best method.  Thanks again.