Menu
Do you have any idea how I can use, an access_token generated by the default asp.net web api 2 OAuth 2 authorization mechanism, in the url parameters. Currently I am able to authorize successfully by sending a request with Authorization header like this:
Accept: application/json
Content-Type: application/json
Authorization: Bearer pADKsjwMv927u...
What I want is to enable the authorization through URL parameter like this:
https://www.domain.com/api/MyController?access_token=pADKsjwMv927u...
637
"Don't pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be passed in page URLs (for example as query string parameters). Instead, bearer tokens SHOULD be passed in HTTP message headers or message bodies for which confidentiality measures are taken."
Use Webapi 2 Parameter binding. http://localhost:29001/api/test/Z4TTHmY98=gFw2rG/ [HttpGet] [Route("/test/{AuthToken}") public IHttpActionResult Test([FromUri] string AuthToken) { //Do whatever you want to do. } Careful with the route. It needs to be proper and configured in webapiconfig .
You need to perform the following: Register your app in the Security Token Service, based on IdentityServer3. Within your app, acquire an access token from the STS. Add an authorization header Bearer access_token and call the Sitefinity Web API.
Well - I agree that the header is a much better alternative - but there are of course situations where the query string is needed. The OAuth2 spec defines it as well.
Anyways - this feature is built into the Katana OAuth2 middleware:
http://leastprivilege.com/2013/10/31/retrieving-bearer-tokens-from-alternative-locations-in-katanaowin/
public class QueryStringOAuthBearerProvider : OAuthBearerAuthenticationProvider { readonly string _name; public QueryStringOAuthBearerProvider(string name) { _name = name; } public override Task RequestToken(OAuthRequestTokenContext context) { var value = context.Request.Query.Get(_name); if (!string.IsNullOrEmpty(value)) { context.Token = value; } return Task.FromResult<object>(null); } } And then:
var options = new JwtBearerAuthenticationOptions { AllowedAudiences = new[] { audience }, IssuerSecurityTokenProviders = new[] { new SymmetricKeyIssuerSecurityTokenProvider( issuer, signingKey) }, Provider = new QueryStringOAuthBearerProvider(“access_token”) }; So, go to Global.asax and add this method:
void Application_BeginRequest(object sender, EventArgs e) { if (ReferenceEquals(null, HttpContext.Current.Request.Headers["Authorization"])) { var token = HttpContext.Current.Request.Params["access_token"]; if (!String.IsNullOrEmpty(token)) { HttpContext.Current.Request.Headers.Add("Authorization", "Bearer " + token); } } } UPDATE: Check out @leastprivilege answer. Much better solution.
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With