I have a web application developed with ASP.NET MVC and login by storing the data in the Session.
I have another application, but desktop, which does some tasks that can not be done on the web, but this application needs to be authenticated with the same user and password of the web application.
Is there a way to authenticate the desktop application using the active login of the web application?
If the application is to make multiple requests to the web application, it is best to make a method in the authentication controller that returns a Json Web Token and that you use this token to make the requests to the server without having to give a hit on the bank at every request to validate the user, you could store that token in some desktop application variable.
If you only need to validate this user once and receive the data as a group, email, name, photo, etc., you can create a method in the controller that receives user and password, and if it is valid return a json with the data you need, otherwise return a login failure. I would do this
If validation has to be with the "authentication of the desktop application using the active login of the web application" (according to your words) the most correct is when the user authenticates in the web application that login generates an authentication "token" in the system.
I'd advise having a table, for example, "UserToken" instead of saving to "Session":
CREATE TABLE [dbo].[UsuarioToken] (
[Token] UNIQUEIDENTIFIER NOT NULL,
[IdUsuario] SMALLINT NOT NULL,
[DataInicial] DATETIME DEFAULT (getdate()) NOT NULL,
[DataFinal] DATETIME NULL,
PRIMARY KEY CLUSTERED ([Token] ASC),
CONSTRAINT [FK_UsuarioToken_Usuario] FOREIGN KEY ([IdUsuario]) REFERENCES [dbo].[Usuario] ([idUsuario]));
By logging in to the web, it creates the token with the access date (Start Date). Disabling the token (DataFinal). Note that the Start Date is DEFAULT getdate() , DataFinal , because it will be the date and time the user "moves" from the web application. It will be DataFinal when NULL that will indicate whether the token is active or not.
With the token created, it will now depend on your business rule and whatever else is applicable and / or feasible for your situation, so the following is just an example / idea:
In the desktop application:
Instead of having a form with User and Password, it would have a form to indicate the "access key", token created in the web login, that could be sent to the "client" via e- mail this one of the data of register of the user). If active token, eg ValidarToken(Guid token) , does the processing, if it does not return that token is invalid.
Have a login form with username and password to identify and validate, the first time, if the user (user) is registered in the web system, after this check if token ("access key") is associated with the user who is logged in and if token is active in the web system. In short, you once identify whether the user and password is valid, whether valid checks for an active "access key" in the web application, whether there is a token stored in a variable on the desktop and in the next processes that requires token, such as it is already stored in memory, it only verifies that it is still active in the web application ValidarToken(Guid token) . If it is not, return to the login process again.
I emphasize security rules because the token must be invalidated after all necessary processes are performed on the desktop.
For realizations of authentications the most elegant way to do this would be to use Claims .
With Claims there is a way to do what you need, as we have the possibility of third party authentication.
What you can do is also separate your app so that it has a layer of Service . And apply a authentication feature .