c# - Secure Web Api called by PhoneGap application -

i'm implementing webapi upload/convert/return videos.

another developer implement phonegap application call webapi upload/convert/show videos users.

the phonegap application uses openid allow users login using google , facebook.

my problem want make sure client calling webapi has been logged in on phonegap app using google or facebook.

i know need client send me token in request header can "extract" on web api validate user. question how can webapi know token has been generated openid (google/fb) on phonegap app?

well searching , have got far share in following steps:-

1) whenever user call login page create token in response header make sure request coming legitimate user. antiforgery token in mvc.

2) upon successful login create authentication cookie , set current user context value authorize user , generate token mentioned above.

3)then after use normal authorise, roles attribute provided webapi.

let me know think? more happy contribute.

another approach when user login create hashed token , add response header , create custom attribute grab token , check against database. problem approach hammering ur database time.