How to build secured api using ServiceStack as resource server with OAuth2.0?

Question

I have build a OAuth2.0 Authorization server using dotnetopenauth that will manage authentication, authorization, and assign accessToken to the caller. The caller will use the access token to access the api (webservices) at resource server. If follow the sample provided by dotnetopenauth in Resource Server, api that builded using WCF can be authenticated by OAuthAuthorizationManager

If using ServiceStack to build my api in Resource Server, how to build the authentication process that verify the incoming api request based on assigned OAuth2.0 access token? The functionality should similar to OAuthAuthorizationManager in the dotnetopenid sample and not based on login session.

Answer 1

Just some update

I didn't use the AuthenticateAttribute or RequiredRoleAttribute from ServiceStack.ServiceInterface.

I create 2 custom RequestFilterAttribute to replace the functions provided by AuthenticateAttribute and RequiredRoleAttribute.

In each custom RequestFilterAttribute's Execute method, I'm using method in dotnetopenauth to verify the access token.

//httpReq==req from Execute(IHttpRequest req, IHttpResponse res, object requestDto)

The code for the access token verification as following, reference the relevant documentation from both servicestack and dotnetopenauth for more info. ResourceServer is class from dotnetopenauth

HttpRequestBase reqBase = new HttpRequestWrapper((System.Web.HttpRequest)httpReq.OriginalRequest);

var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(AuthorizationServerPublicKey, ResourceServerPrivateKey));

IPrincipal ip = null;
resourceServer.VerifyAccess(reqBase, out ip);

If the ip is null then not authenticated, if not null, the incoming request is valid and can use the ip to check the role e.g. ip.IsInRole(requiredRole)

I'm not sure this is the correct way to do the checking or not, but it's works for me. Any better solution are welcome.