How to use security (Authentication & Authorization) in ASP.NET Web Api

Question

I am developing an Android application which will use a SQL server(database) to store the application\'s data. In addition, the application will use the ASP web API to send

Answer 1

1. Login (Username, Password shored in BasicNameValuePair) from your Client (here Android) by access Web API controller (perhaps /Token if you use some samples from Asp.Net Web API website). If success, the access token will be responsed and you will save in your client (SharedPreference or database)
2. Then, just need to send the access token (no need username, password anymore) to request other API controllers.

Of course, https should be used here for better security.

Sample codes for getting the access token (login phase):

public static Object getAccessToken(String address, String grant_type, String username, String password) throws Exception {
    List<NameValuePair> params = new ArrayList<>();
    params.add(new BasicNameValuePair("grant_type", grant_type));
    params.add(new BasicNameValuePair("username", username));
    params.add(new BasicNameValuePair("password", password));

    // Making HTTP request
    httpResponse = makeHTTPRequest(address, params);
    if (httpResponse != null) {
        statusCode = httpResponse.getStatusLine().getStatusCode();
        if (statusCode != HttpStatus.SC_OK && statusCode != HttpStatus.SC_BAD_REQUEST) {
            return httpResponse.getStatusLine().toString();
        }

        // Get JSON String (jsonString) from Input Stream (is)
        getJSONFromInputStream();
        if (jsonString.isEmpty()) {
            return null;
        }
        // Parse the JSON String to a JSON Object
        jObj = new JSONObject(jsonString);
    }
    // Return JSON Object
    return jObj;
}

Inside makeHTTPRequest, for request access token:

httpPost.setHeader("Content-Type", "application/x-www-form-urlencoded");
httpPost.setEntity(new UrlEncodedFormEntity(parameters));

Answer 2

Your clients can access from multiple devices with same account ?
---- First case(can access from multiple devices) :
1. If username or id exists in internal just send them to server.
2. If not ask username and password from client then send it to the server (or just phone number)
3. Check user informations on database on server
4. If authentication success save userid or username into the internal storage 5. If fails , ask it again .
---- Second case(can't access from multiple devices) :
You need to send user device id to server to detect which devices your user logged in. If device id matches then authentication success , otherwise fails and ask user to log in again. But in this case you need to be careful because if user login , after login from another device , first user must be disconnected.Therefore you should send userid and device id for every request or server sends client a disconnect query.