dotnetopenauth OAuth2AuthorizationServer Sample Modify ResourceServerEncryptionPublicKey

Question

I am working through the OAuthAuthorizationServer sample (provided by sourceforge) and I noticed the RSAParameters ResourceServerEncryptionPublicKey has the comments that this needs to not be hard coded and a vague description on what that means. However, in regards to actual implementation I am unable to follow.

Specifically: "In a real app, the authorization server would need to determine which resource server the access token needs to be encoded for based on the authorization request. It would then need to look up the public key for that resource server and use that in preparing the access token for the client to use against that resource server."

Are the resource servers described in this comment Google/Facebook etc? How would we look up those public keys? Am I way off base there? The goal is to follow the question listed here. The response in that question is solid, but leaves out some of the meatier details.

Answer 1

Google and Facebook will not be accepting tokens you issue, so no, the resource servers in your case are not those sites. The resource server is the one that is providing the client with user data. Typically, that's also your web site. In fact, it is often the same site as the authorization server itself. Ask yourself "where will the access token the authorization server is creating be used after I send it to the client?" The answer to that is your resource server.

If you only have one resource server, you should create a public/private key pair for it, and copy the public key into the authorization server. Likewise, you should create another key pair for your authorization server and copy its public key into your resource server.