Reputation: 29427
OAuth resource owner password flow and HMAC
I have a web api application which implements the Resource Owner Password flow from OAuth specification. Everything works correctly.
Actually I configure everything in my WebApiConfig class by using an Authentication filter like this
// Configure Web API to use only bearer token authentication.
config.SuppressDefaultHostAuthentication();
config.Filters.Add( new HostAuthenticationFilter( OAuthDefaults.AuthenticationType ) );
As some of my customer asked for a different method of authentication I am evaluating to add a couple of features to my services but stil did not have clear how those features can work together.
In particular I cam across a link which explain in very easy words how to implement a HMAC authentication in web api.
Can I implement this authentication method and let the client to choose which one he want to use? Do they can cohesist together?
Upvotes: 1
Views: 132
Answers (1)
Reputation: 23436
Yes, your web api service can send back multiple schemes in the WWW-Authenticate challenge. In your case it can send back 'bearer' and 'hmac' for example.
See also this question for more info on using multiple schemes.
BTW, it's not your web api service that supports Resource Owner Password flow. The client uses this flow to get a token from the authorization server that it can use in a bearer scheme with your service (resource server). HTH.
Upvotes: 1
Related Questions
- OAuth2 Resource Owner Password Grant via API
- How HMAC works for ASP.Net web api
- oauth 2.0 - Resource owner password flow, can use windows login user credentials
- Web API: authorization or/and authentication
- OAuth2 Implicit Grant wihtout resource owner authorisation
- ASP.NET Web API authorization and Authentication
- Dotnetopenauth - Resource owner password credentials flow with WebAPI
- Authentication for MVC4 Web Api
- OAuth 2.0 for MVC Flow
- Implementation of two legged OAuth 2.0 for WebApi