UseOAuthBearerTokens vs UseOAuthBearerAuthentication
In our Startup class, I have configured the following auth server options:
OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
{
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/api/v1/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
Provider = new SimpleAuthorizationServerProvider()
};
After this, which option are we supposed to use to actually enable bearer authentication? There seem to be two variations on the Internet.
Option 1:
app.UseOAuthAuthorizationServer(OAuthServerOptions);
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
Option 2:
app.UseOAuthBearerTokens(OAuthServerOptions);
I have tested them both and the results are the same.
What are the difference between these options? When are we supposed to use which?
Answer
The UseOAuthBearerTokens extension method creates both the token server and the middleware to validate tokens for requests in the same application.
Pseudocode from source using reflector:
UseOAuthAuthorizationServer(); // authorization server middleware
UseOAuthBearerAuthentication(ApplicationOAuthBearerProvider); // application bearer token middleware
UseOAuthBearerAuthentication(ExternalOAuthBearerProvider); // external bearer token middleware