How to modify token endpoint response body with Owin OAuth2 in Asp.Net Web API 2

Samoji picture Samoji · Feb 22, 2015 · Viewed 10.5k times · Source

I want to modify the response body from the token endpoint response.

I've tried to intercept the /Token request with a MessageHandler but it doesn't work.

I'm able to add some additional informations to the response by overriding the OAuthAuthorizationServerProvider.TokenEndpointmethod, but I'm not able to create my own response body.

Is there a way to intercept the /Token request?


Edit

I found out how to remove the response body content from the token endpoint response, like this: HttpContext.Current.Response.SuppressContent = true;

It seems the right way to achieve my goal, but now when I use the context.AdditionalResponseParameters.Add() method to add my custom information, the SuppressContent block any alterations.

Now I have something like this:

// Removing the body from the token endpoint response
HttpContext.Current.Response.SuppressContent = true;
// Add custom informations
context.AdditionalResponseParameters.Add("a", "test");

Answer

Kévin Chalet picture Kévin Chalet · Feb 23, 2015

To simply add new items to the JSON token response, you can use TokenEndpointResponse instead of the TokenEndpoint notification.


If you're looking for a way to completely replace the token response prepared by the OAuth2 authorization server by your own one, there's sadly no easy way to do that because OAuthAuthorizationServerHandler.InvokeTokenEndpointAsync doesn't check the OAuthTokenEndpointContext.IsRequestCompleted property after invoking the TokenEndpointResponse notification.

https://github.com/aspnet/AspNetKatana/blob/dev/src/Microsoft.Owin.Security.OAuth/OAuthAuthorizationServerHandler.cs

This is a known issue, but it was too late to include it in Katana 3 when I suggested to fix it.

You should give Owin.Security.OpenIdConnect.Server a try: it's an a fork of the OAuthAuthorizationServerMiddleware designed for Katana 3.0 and 4.0.

https://www.nuget.org/packages/Owin.Security.OpenIdConnect.Server/1.0.2

Of course, it includes the correct check to allow bypassing the default token request processing (this was even one of the first things I fixed when forking it).