oAuth Token Authentication - using same secret key

Question

I currently want two .Net applications running on separate servers within different networks. On one of the servers an API will be hosted to provide sensitive data from a database, and on another server an application will then send requests to that API. Within the network storing the application, which sends requests to the API, the idea was to have a Authentication project which would authenticate application users and provide them with a oAuth Token which can be used to query the API on the other network.

All I want to do when the requests reach the API is to have a method to check they have been authorised and are genuine.

I was thinking that to ensure requests are genuine I could provide both applications with the same secret key for oAuth encryption and the API could then attempt to decrypt the token and if successful it is a trusted request as it was encrypted with the same key.

I'm not sure if this is a secure way to check authentication and would like some opinions to whether this is a good idea.

Answer 1

For decode a string token you need the secret string wich was used to generate encrypt token. This code works for me:

protected string GetName(string token)
    {
        string secret = "this is a string used for encrypt and decrypt token"; 
        var key = Encoding.ASCII.GetBytes(secret);
        var handler = new JwtSecurityTokenHandler();
        handler.ReadToken(token);
        var tokenSecure = handler.ReadToken(token) as SecurityToken;
        var validations = new TokenValidationParameters
        {
            ValidateIssuerSigningKey = true,
            IssuerSigningKey = new SymmetricSecurityKey(key),
            ValidateIssuer = false,
            ValidateAudience = false
        };
        var claims = handler.ValidateToken(token, validations, out tokenSecure);
        return claims.Identity.Name;
    }

Answer 2

What you're describing seems more a simple token-based authentication system rather than the full OAuth authorization framework. OAuth as the name implies is more about granting apps authorization to act on your behalf.

OAuth: An open standard for authorization. Development began in 2006 as employees from companies like Twitter and Google saw the need for a set of shared protocols dictating how web services should authorize other web apps to access to their users' information.

(emphasis is mine, source: Auth0 Identity Glossary)

Don't get me wrong, you could accomplish what you want by going full OAuth, but for this use case it doesn't seem necessary. You can achieve the same by implementing a token-based authentication system using JWT as the token format; this has a couple of benefits:

• It's simpler than having to go fully understand OAuth and implement your own compliant authorization server. Even if you opted for deploying an open source alternative you would still need to ensure everything would be secure or disable everything you would not need. _{(I've already gone through that experience and would not do it again unless I was assured plenty of time and resources to do it)}
• Your API will already be accepting JWT token as authentication so if in the future you do find the need to go full OAuth, your API is already more than ready.

With JWT, the trust relationship between the application doing the authentication and the API consuming the token is established by the fact that JWT's can be signed (either with symmetric key, which seems to be your use case, or with an asymmetric key) to ensure that no one besides the holder of the key could have generated this valid token. JWT's also support encryption, but the signing is sufficient to establish the trust relationship, you only need to bring encryption to the mix if you have sensitive information in the token itself and want to protect it from eavesdropping.

In .NET you should be able to get started on creating and validating JWT's token signed with a symmetric key by relying on the following Nuget package System.IdentityModel.Tokens.Jwt.