In Web API 2, you used to be able to create an endpoint to issue a token by setting up an OAuth Authorization Server via middleware like below:
//Set up our auth server options. var OAuthServerOptions = new OAuthAuthorizationServerOptions() { AllowInsecureHttp = true, TokenEndpointPath = new PathString("/token"), AccessTokenExpireTimeSpan = TimeSpan.FromDays(1), Provider = new SimpleAuthorizationServerProvider() }; // Sets up the token issue endpoint using the options above app.UseOAuthAuthorizationServer(OAuthServerOptions);
Perhaps I'm missing it, but I'm trying to figure out how to do this in ASP.NET Core. I've looked through the source (https://github.com/aspnet/Security) but I don't really see anything analogous. Is there a new way to accomplish this? Do I need to just create a controller and do it myself?
I see how OAuth Authentication can be set up via Middleware, but this regards the authorization portion where I issue claims from my API.
Many websites use OAuth to allow users to sign into their applications and other people's applications. ASP.NET Core comes with OAuth authentication middleware, that makes it easy to use a third party OAuth 2.0 server for login.
Authorization refers to the process that determines what a user is able to do. For example, an administrative user is allowed to create a document library, add documents, edit documents, and delete them. A non-administrative user working with the library is only authorized to read the documents.
Require authorization on a new API By default, the system is configured to easily require authorization for new APIs. To do so, create a new controller and add the [Authorize] attribute to the controller class or to any action within the controller.
EDIT (01/28/2021): AspNet.Security.OpenIdConnect.Server has been merged into OpenIddict as part of the 3.0 update. To get started with OpenIddict, visit documentation.openiddict.com.
Don't waste your time looking for an OAuthAuthorizationServerMiddleware
alternative in ASP.NET Core, the ASP.NET team simply decided not to port it: https://github.com/aspnet/Security/issues/83
I suggest having a look to AspNet.Security.OpenIdConnect.Server, an advanced fork of the OAuth2 authorization server middleware that comes with Katana 3: there's an OWIN/Katana 3 version, and an ASP.NET Core version that supports both the full .NET framework and .NET Core.
https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server
ASP.NET Core 1.x:
app.UseOpenIdConnectServer(options => { options.AllowInsecureHttp = true; options.TokenEndpointPath = new PathString("/token"); options.AccessTokenLifetime = TimeSpan.FromDays(1); options.TokenEndpointPath = "/token"; options.Provider = new SimpleAuthorizationServerProvider(); });
ASP.NET Core 2.x:
services.AddAuthentication().AddOpenIdConnectServer(options => { options.AllowInsecureHttp = true; options.TokenEndpointPath = new PathString("/token"); options.AccessTokenLifetime = TimeSpan.FromDays(1); options.TokenEndpointPath = "/token"; options.Provider = new SimpleAuthorizationServerProvider(); });
To learn more about this project, I'd recommend reading http://kevinchalet.com/2016/07/13/creating-your-own-openid-connect-server-with-asos-introduction/.
Good luck!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With