ASP.Net identity: Difference between UseOAuthBearerTokens and UseCookieAuthentication?

Question

The ASP.NET team has shipped new samples showing how to use the identity packages. They are contained in the following nuget package: Microsoft Asp.Net Identity Samples

The samples are very helpful, but there have been loads of changes from how things were done originally in the templates that shipped.

My specific question: In the original SPA template, there was the following code:

        OAuthOptions = new OAuthAuthorizationServerOptions
        {
            TokenEndpointPath = new PathString("/Token"),
            Provider = new ApplicationOAuthProvider(PublicClientId, UserManagerFactory),
            AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
            AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
            AllowInsecureHttp = true
        };
...
        // Enable the application to use bearer tokens to authenticate users
        app.UseOAuthBearerTokens(OAuthOptions);

But in the new samples in the nuget package, that code is gone, and in its place is this code:

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            Provider = new CookieAuthenticationProvider
            {
                // Enables the application to validate the security stamp when the user logs in.
                // This is a security feature which is used when you change a password or add an external login to your account.  
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(validateInterval: TimeSpan.FromMinutes(30), regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
            }
        });

Can anyone help me understand the difference between app.UseOAuthBearerTokens and app.UseCookieAuthentication (and why this change was made)? They both seem to allow the application to behave in the same way and I could use some clarification on this change.

Thanks...

-Ben

Answer 1

OAuth is used for API security, IN API you would not use cookies and this is essentially stateless. However on say a normal MVC or forms website, you would use a normal session cookie. unless you are creating an API I would not worry about OAuth, and just go with the traditional cookie based auth.

If you want to create an API, then you need to, and I would say MUST DO OAuth for your validation. You would then send a token with your request, post, put, delete. This token is decoded backend by the handlers to reveal permissions, User ID etc

Thought it would be best to extend this and explain the problems, and why OAuth solves it.

Usually an api would be on a separate domain to the UI, be that an APP, Website etc. If you did manage to be given a cookie from an API ( for example facebook.com ) You would only be able to use this cookie on facebook. But your website would be www.myblog.com. There are settings in Ajax to enable the passing of cookies with ajax request, however the domain must be the same, and this is still rather sketchy.

So Oauth Is born, essentially creating what could be best described as a string based cookie, that can be stored however you like, so long as it is passed back, with your requests, within the request headers.

You can in browser applications use javascript to create a cookie, and save your token within this cookie. This would allow you to take advantage of the persistent storage. However it is probably better to use available local storage. So for a browser based app, this would be LocalStorage API, for desktop apps you could use temp storage, local db, etc. and phone apps will have something similar.