Reputation: 22702
Which OAuth2.0 grant should I choose
Referring to this decision template for choosing the right grant type for my application.
I am not quite sure, which grant type to use.
The scenario is as followed:
- Resource Server, WebApi 2.0 (Domain A)
- Authorization Server (Domain B)
- ASP.NET MVC Application, makes jQuery based Ajax requests to Resource Server
Basically what I want is, that all loggedIn Users of my MVC application can make ajax requests from the Client Browser directly to the Resource Server instantly using Bearer Auth.
The Access Token owner will be the Browser User Agent, which will store the access token in local storage for example, right? Every loggedIn User will have it's own auth token. The clients (Browsers) of the MVC app are "First party" clients, right?
What grant type would it be at the end--> Password grant?
Upvotes: 0
Views: 649
Answers (1)
Reputation: 1583
The grant_type for your password will be "password" it self. For instance take this example from my application:
JAVASCRIPT - Auth Service using angular with OAuth2.0 and c# WebAPI 2.0 (MVC) - Pattern used.
return $http({
url: $rootScope.globals.apiPath + "/someController/token",
method: 'POST',
data: "userName=" + encodeURIComponent(username) +
"&password=" + encodeURIComponent(password) +
"&Scope=" + "website" +
"&grant_type=password" + // here I pass the type as password to the web api
"&client_id=clientIdExample",
headers: { 'Content-Type': 'application/x-www-form-urlencoded' }
});
This is then processed on the API using the grant resource owner credentials like so:
C# - API
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
var source = LogUtility.InitializeContext(this.GetType());
try
{
var allowedOrigin = context.OwinContext.Get<String>("clientAllowedOrigin") ?? "*";
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { allowedOrigin });
var signOnContext = await new AccessControlBusinessLogicLayer().LoadUserSignOnContextOrDefaultByCredentials(context.Options.AuthenticationType, context.UserName, context.Password);
if (signOnContext == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
context.OwinContext.Set<String>("userSecurityStamp", signOnContext.SecurityStamp);
var authenticationProperties = new AuthenticationProperties(
new Dictionary<String, String>
{
{ "client_id", context.ClientId }
});
var authenticationTicket = new AuthenticationTicket(signOnContext.Identity, authenticationProperties);
if (context.Scope[0].ToLower() == "website")
{
using (var userContext = new AccessControlContext())
{
using (var userManager = new UserManager<IdentityUser>(new UserStore<IdentityUser>(
var user = AccessBL.LoadUserOrDefaultByUserName(context.UserName);
var userId = user.Id;
}
}
}
context.Validated(authenticationTicket);
}
catch (Exception exception)
{
throw exception;
}
}
This will check the grant and the current context for the current user. Hope this helps for the ambiguity. This means that the password grant will be the grant resources from the web client and not the implicit.
Upvotes: 1
Related Questions
- CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true
- What is the motivation behind the introduction of preflight CORS requests?
- What is the purpose of the implicit grant authorization type in OAuth 2?
- How should I load images if I use token-based authentication
- How can I know which radio button is selected via jQuery?
- Why is there an "Authorization Code" flow in OAuth2 when "Implicit" flow works so well?
- Should access token expire on logout in oauth2.0
- jQuery $.ajax(), $.post sending "OPTIONS" as REQUEST_METHOD in Firefox
- OAuth 2.0 How to invalidate granted auth tokens using password grant
- How to keep the client credentials confidential, while using OAuth2's Resource Owner Password Credentials grant type