Web API 2 OWIN Bearer token custom authentication

Question

I want to implement my own custom WebApi authentication. I try to modify GrantResourceOwnerCredentials method in ApplicationOAuthProvider.

public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
    {
        using (UserManager<IdentityUser> userManager = _userManagerFactory())
        {
            IdentityUser user = await userManager.FindAsync(context.UserName, context.Password);

            if (user == null)
            {
                context.SetError("invalid_grant", "The user name or password is incorrect.");
                return;
            }

            ClaimsIdentity oAuthIdentity = await userManager.CreateIdentityAsync(user,
                context.Options.AuthenticationType);
            ClaimsIdentity cookiesIdentity = await userManager.CreateIdentityAsync(user,
                CookieAuthenticationDefaults.AuthenticationType);
            AuthenticationProperties properties = CreateProperties(user.UserName);
            AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties);
            context.Validated(ticket);
            context.Request.Context.Authentication.SignIn(cookiesIdentity);
        }
    }

I replace the authentication:

IdentityUser user = await userManager.FindAsync(context.UserName, context.Password);

with my web service call that returns true for authenticated and false for not authenticated.

if (authenticated)
{
IdentityUser user = new IdentityUser("username");
}

But I do not know how to proceed with the ClaimsIdentity. Anyone have samples that I can reference? Thanks.

Answer 1

Late on this, but might as well document it since it's still relevant. If you mean how do you assign and resolve claims from the ticket, you have options. You can either implement the IUserClaimsStore (documentation for said object), or simply create your own claim storage service. The most manual method is assigning the claims to the user explicitly after validating their login and retrieving their identity. Here's a simple example using your code:

using (UserManager<IdentityUser> userManager = _userManagerFactory())
    {
        IdentityUser user = await userManager.FindAsync(context.UserName, context.Password);

        if (user == null)
        {
            context.SetError("invalid_grant", "The user name or password is incorrect.");
            return;
        }

        user.AddClaim(new Claim("sub","whateveryouwantthesubjectnametobe"));
        user.AddClaim(new Claim("someotherclaim","whosecontentsyoudeterminehoweveryouwouldlike"));

        ClaimsIdentity oAuthIdentity = await userManager.CreateIdentityAsync(user,
            context.Options.AuthenticationType);
        ClaimsIdentity cookiesIdentity = await userManager.CreateIdentityAsync(user,
            CookieAuthenticationDefaults.AuthenticationType);
        AuthenticationProperties properties = CreateProperties(user.UserName);
        AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties);
        context.Validated(ticket);
        context.Request.Context.Authentication.SignIn(cookiesIdentity);
    }

That should be it, the claims will be part of your token and it should auto-populate the ClaimsPrincipal on the next request. If you want to view the deserialization of the ticket on a request, create a simple OAuthBearerAuthenticationProvider implementation, and override the ValidateIdentity method:

private class SuperSecretBearerAuthClass: OAuthBearerAuthenticationProvider
    {
        public override Task ValidateIdentity(OAuthValidateIdentityContext context)
        {
            var claims = context.Ticket.Identity.Claims; //examine claims here
            base.ValidateIdentity(context);
            return Task.FromResult<object>(null);
        }
    }

The registration in startup.cs/wherever you are configuring your auth would look like this:

 app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()
 {
       Provider = new SuperSecretBearerAuthClass()

  });

Answer 2

I don't really understand what you are looking for but you may want to look at Thinktectures implementation of the OAuth embedded server.

Check out their Thinktecture.IdentityModel project and samples - https://github.com/thinktecture/Thinktecture.IdentityModel

They have a sample project called samples\OAuth2\EmbeddedAuthorizationServer that uses the GrantResourceOwnerCredentials method to do authentication.

Here's a simple blog post on ClaimsIdentity, which might help as well. http://www.remondo.net/simple-claims-based-identity/