I guess I have got an overall idea of how authentication and authorization works, but I appreciate if someone can provide me a bit more clarity on it. I will explain what I have understood so far, and then tell what requires clarfication.
Scenario: I am using Individual accounts (Facebook, Google, Twitter authentication).
Followed the following tutorials: http://www.asp.net/web-api/overview/security/external-authentication-services
http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
Step 1 : Sends a request to the Facebook server with username and password.
Step 2: Facebook server authenticates the user, and provides the user details along with a bearer token to the client.
Step 3: The client then stores the bearer token locally and send the user details to the account api controller to register the user.
Step 4: When the client needs to call a particular web api, it send a reqiest to with a HTTP header with bearer token attached, and the server returns the details.
Things that need clarity:
- I know that Facebook does not provide us the password of the user ( neither any other services). So how does the user gets "signed in" to our app, just with a username alone. I guess i am missing some important point here.
- Now, when i send a request to a web api along with the barer token, how does the server know that i am the real user. I am not talking about stealing a bearer token, but what i mean is, cant i simply use this same bearer token to access someone else data.. not just my data from our server