Menu
We have OWIN OAuth 2.0 working (thanks to this fantastic post) but needed some more insight into the actual process of converting the ClaimsIdentity into the actual access_token string in the HTTP response.
We're creating the ClaimsIdentity at this method in our OAuth Authorization Provider:
public class SimpleAuthorizationServerProvider : OAuthAuthorizationServerProvider
{
// <snip>
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
// validation, user checking code here
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim("role", "user"));
context.Validated(identity);
}
}
And when we make the HTTP POST request as grant_type=password&username=user007&password=jamesbond (relax, password here is ok), we get the HTTP POST response body
{"access_token":"9K8VtOBseU0-XZfdGe2_urn2HESY3jLkpgvowOQFPXsHeWNOrTlTVzfPu35ZEvr4AqSj_b0laesBegtVWuR8R-aItnNXw4vXiuCg0cTNMUKP_yfi89VhD446o2X6ffL8upwZVILpomweSweIVlDmwUDzIwf1ZqubrQ8vuiQDFu-_7vpjPwJ5yVvomQ75agsJWMZk-H_bVWSObds82aM8LCRJwb2bUJchr6_L1GP8xdXqRQz24uDhHvco-XByyMSMzZm-Qo0VVBbocbgP64OJulbihVG_W9e8G69UfbX99pIYiLyE4jixiUtjOKSiMYBISW3_fg","token_type":"bearer","expires_in":1799,"as:client_id":"","userName":"user007",".issued":"Fri, 31 Oct 2014 16:02:05 GMT",".expires":"Fri, 31 Oct 2014 16:32:05 GMT"}
Question: What is the logic that creates the actual access_token string?
Some specific concerns within the question
access_token string?Thanks
439
The client application first sends a request to Authentication server with valid credentials. Authentication server sends an Access token to the client as a response. The client application then uses the token to access the restricted resources in next requests, till the token is valid.
Token-based authentication is a process where the client application first sends a request to Authentication server with a valid credentials. The Authentication server sends an Access token to the client as a response. This token contains enough data to identify a particular user and it has an expiry time.
Glad that my post was useful, please find answers as the below:
1 - This 'magical' string is an encrypted or signed string (poor MSDN documentation, speaks of encrypt or sign without clarity) that contains the deserialized version of all the claims and ticket properties for the signed in user. If in IIS mode, the encryption/signing is done via the "decryptionKey" and "validationKey" key values in machineKey node (documentation). If running as a standalone OWIN application, the encryption uses the legacy DPAPI to protect it and that actually uses the obsolete 3DES algorithm (documentation). The default implementation for it is in the source code here.
2 - Answered in point 1.
3 - Check my new post where I show how to issue signed Json web tokens instead of default access token.
Hope this answers your question.
94
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
