I've made a Web API in ASP.NET that acts as the entry point into a SQL Server database for report data. This service has a "token" endpoint that authenticates a user via ASP Identity and return a 20-minute access and 2-week refresh token.
This API should only be accessible via our own apps and products. We'll be writing an Android app, iOS app, and ASP.NET web application that will authenticate with and get data from this Web API described above. I'll be responsible for the ASP.NET client web application and the API. We are building these apps all internally for our customers to login to and use. No 3rd parties outside of my company will be calling our API through any of their own apps.
For my client ASP.NET web app, I'm writing it in ASP.NET MVC and it doesn't really have a database as of now since it communicates with the API for everything.
I've started with this as a base, and it works...but now I need to convert this HTML file to an ASP.NET web app in MVC and figure out where and how to store the access token and refresh tokens. http://blog.rfaisal.com/2014/01/14/building-your-own-api-and-securing-it-with-oauth-2-0-in-asp-net-webapi-2/
My questions are:
I understand I'll need to pass the access token in subsequent calls to the API to do CRUD operations. Where should I make my web request to authenticate the user on the web app when logging in...from the C# code behind or JavaScript as in the tutorial referenced above? I ask because I realize that I'll need the access token in my JS Ajax calls, but I've heard that the refresh token needs to be more "secure" and calling from the server code might give me more secure options of doing so??
Where do I store the access token? In a cookie created in JavaScript or the server? In JavaScript local storage? In a session variable that I can pass to the JavaScript maybe?
Where do I store the refresh token? I'll need this for renewing the access token before it's about to expire. I've Googled this to death, but cannot find a good ASP.NET solution online that tells me where or how to store this from the perspective of my consuming web application. A cookie created from the server, saved in a SQL DB that the web app uses, in a session variable?
I'm in desperate need of help, and this is driving me insane and keeping me awake at night. Hope someone can provide a full, simple example and describe fully what I need to do.