Hi,
I am working on a distributed application with ASP.net Web-API based REST services hosted on azure as Cloud Services.
These services are consumed by a variety of client applications ( ex. Web applications (SPA), Other web services, native application on mobile devices).
Our Rest Web Service (RWS) has a number of actions, some are secure with Authorization and other are open, as in some are only allowed for authentic user while others are not. As users are verified with FORM authentication, this system works well so far with SSL in place.
Hopefully description above sets the required context enough for me to come to the problem statement now.
Problem Statement: I am now in need to identify and authorize client application as well.
i.e. Somehow, in some way, web services would identify and authorize known client applications only to request for any resource or to authorize users.
Assume:
1) Azure web service has a action URI like "https://www.somedomain/api/somecontroller/someaction"
2) a mobile app "my-mobile-app", published by me, consumes this URI. i want to allow "my-mobile-app" to consume URI by identifying/authorizing it.
I know "my-mobile-app", i love it. I identify/authorize this client application first and then allow it to attempt the end-user authentication.
3) another mobile app "blah-mobile-app", published by someone else, somehow knows this URI and attempts to consume this URI. I DO NOT want to allow it to consume this URI. i want to just close door on it's face. Nada. zip. i won't entertain this client application to make any request for resources.
A quick potential solution which comes to mind is: to give a predefined KEY to client application and then to use a HTTP Handler to intercept incoming calls for presence of this KEY to identify and authorize client. but would really appreciate a better more manageable approach for this problem as i may have to extend this solution to all possible clients. and who knows may need similar solutions on other web service projects as well.
Let me know if additional information is needed or any section of question is not clear.