I have 2 api's, that are separate web services on different devices. The one is the SERVER, the other a DEVICE in the field. (of that there can be many).
The server synchronises the UserAuth records from the users that have access as well as the SERVER as to the DEVICE. So the users that have access to the SERVER, have access to that DEVICE with the same credentials as well. All of this works fine, however: now i'm trying to come up with a solution that lets me login to the DEVICE automatically, based on the fact i already authenticated to the SERVER successfully.
I can only come up with a stateless method like ApiKey, but then i wouldn't have a session and my Razor environment on the DEVICE is not fully authenticated.
I probably could use the ApiKey i synced earlier, and make some functionality on the DEVICE where it translates the given ApiKey into a session similar to CredentialsAuthProvider, something like that?
Can anyone give me a tip ?
If you're looking at stateless sessions look at the JWT AuthProvider.
I think JWT would come a long way, however, the content of the session is different for all devices.
One use can only read DEVICE 1, and control DEVICE 2, these restrictions are all put in Roles and Permissions.
A special backend (non-servicestack) sync's the api-key for a given user-device combination realtime to the server, so i thought i could use that authenticate against the AuthRepository of the device somehow.
Just a quick thought: with the CachedApiKeySessions functionality thats in the ApiKeyProvider now, can't i just create a cookie somewhere with that session id, so it has been made persistent for that given cache duration ?
JWTs also contains a Users Roles/Permissions.
You can also use an API Key if you want. Not sure what the point of saving a Cookie is when you have the API Key which is all you need to call Authenticated Services.
Ah, the session is needed because I use the api with razor, so I want to show the razor output without having to login again. API key wil give me access, but won’t count for all requests that are being made from that page.
If i should use the Session, that would be (easily) solved. Is the session that’s created by APIKeyProvider usable in the same way as Credentials Auth Provider does it?
Eg: i tried using building a request, to wich I pass the ApiKey. A session is automatically created, wich I pass through to Response.CreateSessionIds(sess) but it wouldn’t work. Meaning: any following (razor) request would still ask for authentication.
Am i close?
No, the cached API Key sessions is a background implementation detail to speed up subsequent API Key requests by caching the UserSession against the API key.
But I really don't get what you mean by logging in again. There is no "login" when using the API key, each request needs to contain the API Key which is validated on every request.
There is here, but i think its caused by the fact i parse the ApiKey in the QueryString, and not in a cookie. I will check that...