Reputation: 886
what function does OWIN exactly use to generate a token; Can it be leveraged?
I can see the way to generate tokens using the following code as outlined in
http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
{
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
Provider = new SimpleAuthorizationServerProvider()
};
// Token Generation
app.UseOAuthAuthorizationServer(OAuthServerOptions);
var bearerAuth = new OAuthBearerAuthenticationOptions()
{
Provider = new OAuthBearerAuthenticationProvider()
};
app.UseOAuthBearerAuthentication(bearerAuth);
public class SimpleAuthorizationServerProvider : OAuthAuthorizationServerProvider
{
public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
context.Validated();
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
var manager = new UserManager<User, long>(new UserStore(new UserRepository()));
var user = await manager.FindAsync(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
}
else
{
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim("name",user.Email));
context.Validated(identity);
}
}
}
As a consumer I make a REST call to http://localhost:9000/token with my credentials and magically get an access token
I would like to be able to leverage that token generation function for use in other scenarios to manually create a token that would be valid for **this particular** OWIN server.
Secondly, is it possible to have multiple authorization providers that can be conditionally used by this server. If so how does one do that without implementing a token generator from scratch (like the external login stuff)?
Upvotes: 4
Views: 3250
Answers (3)
Reputation: 31
For what it worth, here is how we do it:
var options = new OAuthAuthorizationServerOptions();
var ticket = new AuthenticationTicket(...);
var tokenContext = new AuthenticationTokenCreateContext(null, options.AccessTokenFormat, ticket);
await context.options.AccessTokenProvider.CreateAsync(tokenContext);
var token = tokenContext.Token;
if (string.IsNullOrEmpty(token)) token = tokenContext.SerializeTicket();
return token;
options must be your OAuthAuthorizationServerOptions from your app.UseOAuthAuthorizationServer(options) call.
This mostly replicate how OAuthAuthorizationServerHandler generate a Bearer token. AspNetKatana/OAuthAuthorizationServerHandler.cs
Upvotes: 3
Reputation: 3131
You can see the code here. It can be hard to follow. There is a lot that goes into making it follow the OAuth spec and be pluggable (you can swap out the token format for example) but ultimately the default configuration is doing something like this behind the scenes to generate tokens:
var ticket = new AuthenticationTicket(new ClaimsIdentity(new GenericIdentity("bob")), new AuthenticationProperties());
IDataProtector dataProtecter = null;
var format = new TicketDataFormat(dataProtecter);
var accessToken = format.Protect(ticket);
Usually you should not customize it to much or generate out-of-band tokens unless you understand the security implications and are sure the out-of-the-box code isn't sufficient. Consider something like Identity Server if the built in stuff doesn't do what you need.
Upvotes: 1
Reputation: 886
The OWIN guide http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server has the following method to generate tokens.....
private readonly ConcurrentDictionary<string, string> _authenticationCodes =
new ConcurrentDictionary<string, string>(StringComparer.Ordinal);
private void CreateAuthenticationCode(AuthenticationTokenCreateContext context)
{
context.SetToken(Guid.NewGuid().ToString("n") + Guid.NewGuid().ToString("n"));
_authenticationCodes[context.Token] = context.SerializeTicket();
}
private void ReceiveAuthenticationCode(AuthenticationTokenReceiveContext context)
{
string value;
if (_authenticationCodes.TryRemove(context.Token, out value))
{
context.DeserializeTicket(value);
}
}
This is one way but I still don't know if this is the official way that MS implements it. It would be nice to know if there's a built-in function that can do this.
Upvotes: 0
Related Questions
- How to get a oauth access token created in owin API?
- How is the OWIN OAuth 2 token actually created?
- Web API 2 OWIN Bearer token custom authentication
- Regarding oAuth Token used in web api
- C#/OWIN/ASP.NET: can I *manually* generate and get a valid bearer token string in my API code?
- Generate Access Token In Web Api action method using OWIN and IIS host
- How to generate an OWIN bearer token during registration of a user
- ASP.NET OAuth: How is access token generated?
- How do you get the Oauth2 AccessToken after its creation from the Owin Api?
- What's the default OAuth AccessTokenFormat implementation in OWIN for IIS host?