Authenticate to Webapi, using oauth provider (FB etc) client side only (HTML5 /JS phone app).
This is a tricky one, So I can authenticate to our webapi using a username and password, using js from a HTML client, passing username & password as parameters over HTTPS we can set the user to authorised so they can access additional controller(s) for DB updates etc, so far so good bear with me.
I can authenticate to FB, using MVC and set the user to authorised.
I can do the same with HTML & JS client side (hooray), now how would I then authorise the controller, OK I get the users email from FB, so what, anyone could pass that. Suppose I could redirect to a MVC page (from the client) and then set auth on the controller(s) that way, but that's just not good (sending the user out the app, or a pop window).
What's the best method to authenticate the user from the client and authorise webapi controllers at the same time securely, do I have to re-direct the user to a mvc page and do it that way, how are other's handling this for phone apps / phone gap / intel xdk ?
The method apparently is, example facebook, but process is the same for any oauth provider , obtain access token by getting user to sign in/on. Verify Token is genuine using server API (in FB's case graph API) Client is happily logged in, until access token expires. On expire(2 hours is the default), redirect user to login again, app is known it should authenticate without signing in again, unless user has revoked authorisation on your app.
here's a link on how to handle expire access token (examples are PHP)
Not exactly elegant, but it is what it is, and I thought It was only for super geeks!
Sorry to answer my own question