How to start with OAuth Client Credentials to protect WebApi using OWIN Oauth?

Question

I am a newbie to OAuth 2.0.

I have fairly read the OAuth 2.0 doc and I saw there are four types of methods for obtaining Authorization.

Types of obtaining authorization:

1.Implicit Grant
2.Resource Owner Password Credentials Grant
3.Client Credentials Grant
4.Authorization Code Grant

In my case, I have Client application, Resource owner, Resource server and Authorization server.

Resource server is a website where Resource owner registers with his/her credentials.

Client application is a third party website who registers into resource server and gets the Client application credentials for accessing it in future.

Authorization server checks the client credentials from client app and grants access token to the client app.

Let us consider, resource server as "www.serversite.com", authorization server as "www.authserver.com" and client application as "www.clientapp.com".

Flow:

Step 1: Also make an assumption that www.serversite.com as a payment gateway site and the client has to integrate "www.serversite.com" into "www.clientapp.com" for creating, executing and refunding payments.

Step 2: So the client "www.clientapp.com" creates an app in server "www.serversite.com" and gets API credentials.

Step 3: Using these API credentials, the client "www.clientapp.com" makes an access token request to the auth server "www.authserver.com".

Step 4: If the API credentials from client app are valid then the auth server grants an access token.

step 5: With this access token, client app request the resource server for further operations like creating payments as well as executing payments.

My questions:

I am using ASP.NET Web API for authorization server and using OWIN.OAuth for generating access token, refresh token, authorization and all the stuffs needed to authorize the client app.

But, in this link (OWIN OAuth 2.0 Authorization Server), I found that, the web api authorize the client app using "Resource Owner Password Credentials Grant" and the sample provided for implementing Owin.OAuth in web api is great, but I have lot of confusions roaming in my mind.

• Which way of obtaining authorization is suitable for my process? (Client Credentials flow or Resource Owner Password Credentials flow)

• How to implement Client Credentials Grant type using ASP.NET Web API(OWIN OAuth)?

• Also provide some samples or links that may be helpful for me?

Thanks in advance.

Answer 1

Theres an example of how to get started on the asp.net website, specifically here:

http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server

I quote:

private Task GrantClientCredentails(OAuthGrantClientCredentialsContext context)
{
 var identity = new ClaimsIdentity(new GenericIdentity(
    context.ClientId, OAuthDefaults.AuthenticationType), 
    context.Scope.Select(x => new Claim("urn:oauth:scope", x))
    );

 context.Validated(identity);

 return Task.FromResult(0);
}

Obviously you will need to go ahead and verify the actual client id / secret exist perhaps in a local database sometwhere before you go ahead and set the context to validated.

In terms of deciding which flow to use, you need to ask yourself, if the application is requesting access to your APIs on behalf of an actual user, then you need to use Resource Owner, however if the application itself needs access then Client Credentials is the way to go.

Generally speaking though, most implementations use Authorisation Code Flow, so if you can form a security stand point, get the users redirected to a page you host to take their credentials, opposed to sending them over the wire via Resource Owner Flow.