Authenticating .NET API Service Calls Using Ionic Cloud User Authentication

Ok HUGE issue here. I am using the Ionic Cloud for authorization and an Azure Hosted Web API application which is supplying the data to run the app. Pretty basic.

I know I could embed a username/password to authenticate the .NET calls, but that doesn’t make for a very secure application. I know I can’t be the only person doing this, so I’m hoping someone is smarter than I am and has already figured a way to do this.

I’m open to suggestions but I can only come up with the following…

  1. Use Ionic Cloud Login. Get user’s UUID. When calling the .NET Service, have the service first authenticate the user is real by using the Ionic HTTP API. At least we know if the user is real.

  2. Use Ionic Cloud Login. Embed a un/pw into the app so calls to the .NET API Service at least need some type of Basic Authentication. Drawback here is someone could easily get the un/pw when it’s being sent.

  3. Use Ionic Cloud. Send the token obtained from Ionic Cloud to the .NET API Service and authenticate the user by doing some type of “basic” call to the Ionic HTTP API. If I receive an UNAUTHORIZED, then the user must not have a real token and I shouldn’t send back any data from the app service.

Do any of these sound viable or something similar to what you’ve done in your own applications? Any help/suggestions/confirmations greatly appreciated.

2 Likes

Been there, done that…you’re in for a few days of hacking your server side app to get it to work correctly, but it’s doable.

You need to use JWT and Bearer Based Authentication on your server side. We’re using a .NET core Web API project, combined with an MVC server side website. Our authentication is mixed asp.net identity, and we needed a way to use the [Authorize] attribute for calls from our mobile app as well.

Enter OpenIddict (a nuget package that will solve your problem).

Find me on the ionic worldwide slack, and I can help you more with this, it’s pretty involved, but basically your’e going to enable an OpenIddict authenticate flow through URL’s that your mobile app will use. It’ll
1.) Connect by sending a username and password as a post
2.) receive a bearer token thats good per request
3.) Refresh the bearer token on an interval

The flow needs to be supported by your client, which you can do using some observable timings and local storage.

I should mention, that by taking this route, you’re authenticating directly with your app and not the ionic.io services, so if later on you want to do targeted push notifications or things of that nature using the ionic.io plugins, your’e going to have to manage those features server side on your own since ionic won’t know about your users. It’s not overall difficult, but thought you should keep that in mind.

@bsampica - Thanks so much for replying. Yeah, I thought something like that might be involved. I think eventually we all get “there” since in rapidly putting together these things…seeing if they even have an audience…the Ionic Cloud auth model gets you where you need to be really fast.

However, it does appear we all eventually have to authenticate our own services and apps so the control and security doesn’t get broken mid-stream.

What’s your thoughts on my #3 suggestion? It seems to fit somewhere in between where I am now, and where you are/I will need to be eventually. It’s a step closer to your solution, but might save me a bit of time for now and provide a little more security.

Hey guys –

This seems to be related to this issue:

Can you weigh in on what options you would like to see in Ionic Cloud Auth? It seems like a great start but without some way to Authenticate with Ionic Cloud Auth using an AuthToken, there is an awful lot of work to set up a custom server. I’m hoping the Ionic team can come up with an elegant solution to this, as they have with so many other issues!

Thanks,
Marc

Completely agree with you Marc. The team at Ionic will definitely find some way to do this as they have a great track record of doing so.

I’d say the simplest solution would be to get the Token from any of the authentication options (Email/PW, Facebook, Twitter, etc.) on the client side, and then pass that to the custom server. The custom server could then verify that token by calling Ionic’s API. If authenticated we could either send back a BearerToken that could then be called with every API call. If the session/token is not validated, don’t allow them to make the API Custom Server call and return Unauthorized.

Just a few thoughts there…not sure if that would work completely or not.

1 Like

Thanks for weighing in. I agree, that kind of solution sounds pretty good.

In the meantime, our team is starting to look at Auth0, in the absence of a good pure Ionic solution. Hope they’re working on something!

Cheers,
Marc

Here is a way I am doing:

  1. Building your token based authentication by app_key and app_secret, it meant every token can be stored up to 2 hours.
  2. Everything your client sent the request to your server, must request for a token by using app_key and app_secret to get the token, then your server validate if the token is correct.
  3. From you client side, since Ionic Cloud user is authenticated, so the logged user could send the request with the correct token to your server.

I think this is pretty standard, and it feels like what’s missing is clear docs or code that show how to do this. That’s understandable given the myriad of server-side technologies but the fact their docs don’t address this scenario is kind of strange. It’s not clear to me how I’d use a client-provided token to verify the user is legit from their docs today.

Unless I’m missing something I don’t understand the point of providing an auth solution if I can’t secure my server-side resources against it.

2 Likes

I am looking at Auth0 as well, but their examples are out-of-date and things just don’t work out-of-the-box with Ionic 2. I know auth is hard, but it’s so frustrating that this is all so complicated and requires hours of debugging to get common scenarios working.

I agree. I wish I could tag a few of the Ionic devs in this thread since it’s what I would consider a key issue in the sustainability of their platform. I also concur that Auth0 is probably stepping backwards here.

My team is almost ready to test the scenario I had mentioned in one of my previous comments. We are pretty confident it will work, and if it does we want to suggest this as a potential fix to the issue. They will need to create an API method specifically for this versus the “Denied if failed, Auth if data is returned” way we are going about it.

I’ll post the code and the results when we test it.

Hi Indy,

I want to implement to same solution as you describe it, but I am a novice with authentication services. Can you prive a sample app that demonstrate the authentication of .net app with Ionic Cloud Authentication?

Thanks!

Incidentally, I did implement Auth0 and though it was relatively painful for an auth n00b such as myself, we did manage to get it working smoothly. You will probably find a few various topics on this and the Auth0 board that I authored during that phase should you choose to go down that path.

Marc

Any progress made on this? Seems like a compellingly necessary feature of authentication and app API paradigms

Sad, after looking around in ionic forum for weeks, it seems we have no way to do Ioinc Auth in server side/backend.

Ok gang. I had a great meeting with the Ionic Creator folks to give them some feedback on how my company uses Ionic Creator and as a “thank you” these awesome folks went to the dev’s and got me this. I haven’t had the chance to try it yet, but I’ll get to it this week hopefully and report back (unless someone else does before me).

Hey Doug!

Thanks again for taking the time to chat with us yesterday, it’s really cool how you’re using Creator in your process. I wanted to touch base about using Ionic Auth server side. Basically you’re going to have to do something like this:

  1. Use the getToken() function on the client to get the token and pass it to the server: Ionic Docs - Ionic Documentation
  1. Use that token to make requests on your server. :slight_smile:

In order to validate the token, call this URL and make sure it matches your APP_ID and the correct USER_ID. Instead of passing it a UUID, you’re going to want to pass it the word “self”:

Ionic Docs - Ionic Documentation

a la “/users/self”

Hope that help!

1 Like

ahhhhh I will test this but that seems to make a lot of sense! I knew it had to do w/ the token :sunglasses:

thanks and I will let you know if this works when I try it out!

Yeppers, got it working here’s the basic rundown:

Client:

http.post(url+"?token=abc&user_id=dfg");

Server:

	//Middleware for every call
	router.use(function(req, res, next) {
		res.io = io;
		
		var options = {
			method: 'GET',
			host: 'api.ionic.io',
			path: '/users/self',
			headers: {
				authorization: 'Bearer '+req.query.token,
				user_id: req.query.user_id,
				app_id: 'APP_ID'
			}
			
		};
		
		var http_req = https.request(options, function(resp){
			
			console.log("Auth Middleware! ", resp.statusCode);
			if(resp.statusCode == 401)
				return res.status(401).send();
			
			
			next();
		}, function(err){
			console.log("Err!");
			
			return res.status(401).send();
		});	
		
		http_req.end();
	});
	

Fantastic. I was so hoping this would help all of us. Ionic.io gets you pretty far really fast with Social Logins and User management, I was really hoping I wouldn’t have to ditch all of that for regular .NET Identity or some other type of Node based user system.

Thanks so much for sharing the actual bones of the solution.

I wouldn’t have to ditch all of that for regular .NET Identity or some other type of Node based user system

oh god I know right.

No problem, wouldn’t have figured out that /self part on my own :stuck_out_tongue: Thanks and cheers