OAuth custom provider c#

Question

I need to create a my own OAUTH Provider, to validate third party application requests, i do not want to use Google, Twitter, LinkedIn, Microsoft providers. I have to create my own provider to authenticate request and return an access token to the client. But all the help on the net is related to external providers(Google, LinkedIn,Twitter, Facebook..). Can anyone help me achieve in creating my own custom Provider?

Answer 1

As Roland said if you get through the spec it pretty straight forward.

At a high level this is what you will need to do to support AuthCode grant pattern :

Assuming: Your application own the users.

• Issue clientid/secrets to each of the 3rd Party applications.
• On your server create end points for
  • authorize
  • token

When the client hits the authorize end point like below:

/authorize?response_type=code&client_id=<clientID>&state=xyz&redirect_uri=http://thirdparty.com

• Redirect the client to a login page.
• Validate the username/pwd provided by the user.
• If successful, call the 3rd Party clients redirect URI with authCode.
• If failure, call the 3rd Party clients redirect URI with error(pre-published).

Sample callback here https://thirdparty.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz

Client will then call on the /token URI with authcode with something like below:

/token?grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=http://thirdparty.com

Generate a token, store it against the clientID, UserId and respond back with the token. Something like below

{
   "access_token":"2YotnFZFEjr1zCsicMWpAA",
   "token_type":"example",
   "expires_in":3600,
   "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
   "example_parameter":"example_value"
 }

When the 3rd party access your services/resources validate the token against the client and userid and grant or deny access.

This is to get started but there can be a lot more customization that you can do with scope and other OAuth2 patterns.