Web Api OWIN - How to validate token on each request

paul sim picture paul sim · Jul 26, 2018 · Viewed 13.6k times · Source

I have two applications

  1. Client application build on ASP.NET MVC
  2. Authentication server build on Web API + OWIN

Have planned authentication as follow

  1. For user login client app will make a request to authication server with logged in credential.
  2. Authication server will generate a token and will send back to client application.
  3. Client application will store that token in local storage.
  4. for each subsequent request client app will attached token kept in local storage in request header.

NOW, ON SERVER SIDE OF CLEINT APP I NEED TO VALIDATE THAT TOKEN COMES WITH EACH REQUEST IS NOT TEMPERED.

  1. Please suggest me how to validate token in each request as i don't know the key the OWIN has used to generate the token.
  2. Is is right to write code to validate token on client app or it should be on authication server.
  3. I am planning to shift all user management code like register user, change password to authentication server so than we can re-use it for different client app- is it right design practice?

So far i have wrote below code to just to create a POC.

=========================OWIN configuration========

    [assembly: OwinStartup(typeof(WebApi.App_Start.Startup))]
    namespace WebApi.App_Start
    {
        public class Startup
        {
            public void Configuration(IAppBuilder app)
            {
                HttpConfiguration config = new HttpConfiguration();

                ConfigureOAuth(app);

                WebApiConfig.Register(config);
                app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
                app.UseWebApi(config);
            }

            public void ConfigureOAuth(IAppBuilder app)
            {
                OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
                {
                    AllowInsecureHttp = false,
                    TokenEndpointPath = new PathString("/token"),
                    AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
                    Provider = new SimpleAuthorizationServerProvider(),

         };

         // Token Generation

                app.UseOAuthAuthorizationServer(OAuthServerOptions);
                app.UseOAuthBearerAuthentication(new 
 OAuthBearerAuthenticationOptions());

            }
        }
    }

==============================oAuth Provided========================

 public class SimpleAuthorizationServerProvider: OAuthAuthorizationServerProvider
    {
        public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
        {
            context.Validated(); 
        }

        public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
        {


            context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });

            using (AuthRepository _repo = new AuthRepository())
            {
                IdentityUser user =  _repo.FindUser(context.UserName, context.Password);

                if (user == null)
                {
                    context.SetError("invalid_grant", "The user name or password is incorrect.");
                    return;
                }
            }

            var identity = new ClaimsIdentity(context.Options.AuthenticationType);
            identity.AddClaim(new Claim("sub", context.UserName));
            identity.AddClaim(new Claim("role", "user"));

            context.Validated(identity);

        }
    }

Please help,

Thanks,

@Paul

Answer

Marcus Höglund picture Marcus Höglund · Jul 28, 2018

Please suggest me how to validate token in each request as i don't know the key the OWIN has used to generate the token.

Your current setup, were you have added the app.UseOAuthBearerAuthentication() to the owin pipeline, will authenticate the user from the bearer token which is passed on each request for you. The current user can then be found via HttpContext.Current.User.

Use the Authorize attribute to then decide which users are authorized on certain endpoints. Here's an example where users with the role "user" are allowed to access

[Authorize(Roles="user")]
public class ValuesController : ApiController
{
}

Is is right to write code to validate token on client app or it should be on authication server.

NO, you don't validate the token in client, if your user credentials are wrong you wont get a token at all. That's all you need to know. And also, why should you want to validate the token in the client?

I am planning to shift all user management code like register user, change password to authentication server so than we can re-use it for different client app- is it right design practice?

Reusing a token provider is common. Why invent the wheel for every application? Build one great, or use a third party, and reuse it across your applications.