OAuth Authorization Service in ASP.NET Core

asp.net oauth asp.net-core asp.net-core-mvc
swannee picture swannee · Mar 15, 2015 · Viewed 36k times · Source

In Web API 2, you used to be able to create an endpoint to issue a token by setting up an OAuth Authorization Server via middleware like below:

//Set up our auth server options.
var OAuthServerOptions = new OAuthAuthorizationServerOptions()
            {
                AllowInsecureHttp = true,
                TokenEndpointPath = new PathString("/token"),
                AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
                Provider = new SimpleAuthorizationServerProvider()
            };

 // Sets up the token issue endpoint using the options above
 app.UseOAuthAuthorizationServer(OAuthServerOptions);

Perhaps I'm missing it, but I'm trying to figure out how to do this in ASP.NET Core. I've looked through the source (https://github.com/aspnet/Security) but I don't really see anything analogous. Is there a new way to accomplish this? Do I need to just create a controller and do it myself?

I see how OAuth Authentication can be set up via Middleware, but this regards the authorization portion where I issue claims from my API.

Answer

Kévin Chalet picture Kévin Chalet · Mar 19, 2015

Don't waste your time looking for an OAuthAuthorizationServerMiddleware alternative in ASP.NET Core, the ASP.NET team simply decided not to port it: https://github.com/aspnet/Security/issues/83

I suggest having a look to AspNet.Security.OpenIdConnect.Server, an advanced fork of the OAuth2 authorization server middleware that comes with Katana 3: there's an OWIN/Katana 3 version, and an ASP.NET Core version that supports both the full .NET framework and .NET Core.

https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server

ASP.NET Core 1.x:

app.UseOpenIdConnectServer(options =>
{
    options.AllowInsecureHttp = true;
    options.TokenEndpointPath = new PathString("/token");
    options.AccessTokenLifetime = TimeSpan.FromDays(1);
    options.TokenEndpointPath = "/token";
    options.Provider = new SimpleAuthorizationServerProvider();
});

ASP.NET Core 2.x:

services.AddAuthentication().AddOpenIdConnectServer(options =>
{
    options.AllowInsecureHttp = true;
    options.TokenEndpointPath = new PathString("/token");
    options.AccessTokenLifetime = TimeSpan.FromDays(1);
    options.TokenEndpointPath = "/token";
    options.Provider = new SimpleAuthorizationServerProvider();
});

To learn more about this project, I'd recommend reading http://kevinchalet.com/2016/07/13/creating-your-own-openid-connect-server-with-asos-introduction/.

Good luck!

Related questions

Configure the authorization server endpoint

Question How do we use a bearer token with ASP.NET 5 using a username and password flow? For our scenario, we want to let a user register and login using AJAX calls without needing to use an external login. To …

Read More
What is the best OAuth2 C# library?

It seems like many app providers are using OAuth2 to allow API access, such as Twitter and Facebook. Does anyone use a good library to do OAuth2 processing that is general enough to use across all applications?

Read More
I get "Authorization has been denied for this request." error message when using OWIN oAuth middleware (with separate Auth and Resource Server)

I am attempting to decouple my auth and resource server. I am following the example provided in this tutorial: http://bitoftech.net/2014/09/24/decouple-owin-authorization-server-resource-server-oauth-2-0-web-api/ This is the code in my Startup.cs in my auth server: using Microsoft.Owin; …

Read More