I am writing an API to be used by both my JavaScript app (same domain, API is at api.example.com and site at example.com and 3rd party developers (mobile, desktop, etc). Now I want to use OAuth but I have no idea how the workflow is when using both OAuth and using my application with the same origin policy.
How do I authenticate the user in my web app? When I send the username and password, can I check if the request came from my domain and then return the token? The token will be stored in a cookie and sent back to the server on every request. So there are 2 parts:
- If the request came from my domain, just check for token else throw HTTP exception.
- If not my domain, do OAuth authentication.
Is this possible? How do I go about setting this up in asp.net web API? (mainly the part about checking if the request is in the same domain)
I am guessing that to log into your web app you’re not using OAuth, but simply accept username and password and start a session? If so you don’t really have to bother with OAuth for your own site.
Set up the session cookie to be valid across
*.example.comand you should be able to validate that cookie both onsite.example.comandapi.example.com.Example:
api.example.com/verify_credentials.json402 Unauthorizedif both fail.Here’s a thread about sharing a cookie across sub domains: ASP.NET Subdomain Cookie (parent and one subdomain)