How can I validate my custom Oauth2 access token in server-side

c# asp.net-web-api oauth-2.0 authorization access-token
b_in_U picture b_in_U · Apr 29, 2014 · Viewed 20k times · Source 
public class SimpleAuthorizationServerProvider : OAuthAuthorizationServerProvider
{
    public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
    {
        bool isvalidUser = AuthenticateUser(context.UserName, context.Password);// validate my user&password
        if (!isvalidUser)
        {
            context.Rejected();
            return;
        }
        // create identity
        var id = new ClaimsIdentity(context.Options.AuthenticationType);
        id.AddClaim(new Claim("sub", context.UserName));
        id.AddClaim(new Claim("role", "user"));

        // create metadata to pass on to refresh token provider
        var props = new AuthenticationProperties(new Dictionary<string, string>
            {
                { "as:client_id", context.ClientId }
            });

        var ticket = new AuthenticationTicket(id, props);
        context.Validated(ticket);
    }
}

Login time I'm using this SimpleAuthorizationServerProvider(in Web Api) I can get and send access token to client. Again Login user need to access other Pages, How can I validate my custom Oauth2 access token in server side (in Web Api)

From Client side I'm generation token like this

private static TokenResponse GetToken()
{
    var client = new OAuth2Client(new Uri("http://localhost:1142/token"), "client1", "secret");
    var response = client.RequestResourceOwnerPasswordAsync(uid, pwd).Result;
    Console.WriteLine(response.AccessToken);
    return response;
}

And call particular web api after authentication like this

private static void CallProfile(string token)
{
    var client = new HttpClient();
    client.SetBearerToken(token);
    var response = client.GetStringAsync(new Uri("http://localhost:1142/api/Profile?id=1")).Result;
}

Answer

Hung Doan picture Hung Doan · May 12, 2015

Actually, OWIN handle almost everything for you. If you use ASP.NET API v2 Server to receives requests. You just have to pass your token in the your http requests in the right format.

1. Send http request

There are 2 ways to pass your token :

2. Authenticate your request

You can use (ClaimsPrincipal)Thread.CurrentPrincipal.Identity.IsAuthenticated to check if the requested token is valid

3. Authorize your request

You can use [Authorize] attribute or You can write your own AuthorizeAttribute

If you implement your own Attribute , you can do more interesting things: connect to Database to do complex authorization.

I think, This is a good document to start with OAUTH2 in ASP.NET Web Api: http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/

Related questions

OWIN Security - How to Implement OAuth2 Refresh Tokens

I am using the Web Api 2 template that comes with Visual Studio 2013 has some OWIN middleware to do User Authentication and the likes of. In the OAuthAuthorizationServerOptions I noticed that the OAuth2 Server is setup to hand out tokens that …

Read More
Getting "error": "unsupported_grant_type" when trying to get a JWT by calling an OWIN OAuth secured Web Api via Postman

I have followed this article to implement an OAuth Authorization server. However when I use post man to get a token, I get an error in the response: "error": "unsupported_grant_type" I read somewhere that the data in Postman …

Read More
Adding additional logic to Bearer authorization

I am attempting to implement OWIN bearer token authorization, and based on this article. However, there's one additional piece of information I need in bearer token that I don't know how to implement. In my application, I need to deduce …

Read More