Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Share default OWIN tokens in .Net core

I have Authorization server which built on .NET 4.5.1 and use Microsoft.Owin.Security.OAuth Version=3.0.0 http://prntscr.com/hvwhl4 Tokens protected via machinkey (OAuthAuthorizationServerOptions.AccessTokenFormat is default). I also have many application-consumers(resource servers) on .NET 4.5.1 which validate these tokens http://prntscr.com/hvwwdu http://prntscr.com/hvwiwr. All these applications have the same machinkey in web.config

Now I try to build .net core 2.0 application and I need to use the same tokens from my Auth server(.net 4.5.1 owin 3.0.0). How can I validate and read claims from Microsoft.Owin.Security.OAuth(3.0.0) tokens in .net core 2.0?

One note: I can't change my Auth server and define DataProtector in Auth server. So I need to find a way how to "decode" OWIN tokens in .net core using existing machine key.

UPDATE: So I've opened issue on github https://github.com/aspnet/Security/issues/1592

Now It is closed and the answer was: "Closing because there are no plans to support this. You can use a 3rd party token server such as Identity Server to issue tokens that work with both systems. Or, you can write custom code for ASP.NET Core to handle the OWIN/Katana-style tokens."

I find a kind of solution. I use Autofac.Integration.Owin package and OAuthAuthorizationServerMiddleware in my Auth server to define in run time from which resource server I got the request and then define in which format I need to return token.

Please find below a piece of code from Autofac config in Auth server: enter image description here

like image 668
Alex Gorbel Avatar asked Jan 08 '18 15:01

Alex Gorbel


People also ask

What is OWIN in .NET core?

OWIN allows web apps to be decoupled from web servers. It defines a standard way for middleware to be used in a pipeline to handle requests and associated responses. ASP.NET Core applications and middleware can interoperate with OWIN-based applications, servers, and middleware.


1 Answers

I implemented a workaround with this package Owin.Token.AspNetCore.

var ticket = LegacyOAuthSecurityTokenHelper.GetTicket(token, new LegacyTokenAuthenticationOptions
    {
        DecryptionKey = "machineKey-DecryptionKey",
        ValidationKey = "machineKey-ValidationKey",
        EncryptionMethod = EncryptionMethod.AES, // Default AES
        ValidationMethod = ValidationMethod.HMACSHA256 // Default HMACSHA256
    }));

// Authenticate your user with ticket.Identity.Claims!
like image 185
turgayozgur Avatar answered Sep 29 '22 15:09

turgayozgur