I have created a Web API application with OAuth token authentication. This worked without issue when the token server was running on the same application as the service. However, I'd like to move the authorization service into its own application (VS project) and use it across several Web API projects I am working on. However, when I isolated the authorization logic into it's own project the original service no longer treats the tokens generated as valid. My question is, is it possible for one Web API project to generate a token for another one to validate? Here is my OWIN startup code for both the auth service and the original service
Auth Service:
public void Configuration(IAppBuilder app)
{
// For more information on how to configure your application, visit http://go.microsoft.com/fwlink/?LinkID=316888
HttpConfiguration config = new HttpConfiguration();
ConfigureOAuth(app);
WebApiConfig.Register(config);
app.UseWebApi(config);
app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
}
private void ConfigureOAuth(IAppBuilder app)
{
OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
{
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
Provider = new SimpleAuthorizationServerProvider()
};
// Token Generation
app.UseOAuthAuthorizationServer(OAuthServerOptions);
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
}
Original Service:
public void Configuration(IAppBuilder app)
{
ConfigureOAuth(app);
// For more information on how to configure your application, visit http://go.microsoft.com/fwlink/?LinkID=316888
HttpConfiguration config = new HttpConfiguration();
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
WebApiConfig.Register(config);
app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
app.UseWebApi(config);
}
public void ConfigureOAuth(IAppBuilder app)
{
var oauthBearerOptions = new OAuthBearerAuthenticationOptions();
app.UseOAuthBearerAuthentication(oauthBearerOptions);
}
Just stumbled across this Q whilst researching this myself. The TL;DR answer is that Tokens are generated using the machineKey properties in the machine.config file: if you want to host on multiple servers you need to override this.
The MachineKey can be overridden in web.config :
<system.web>
<machineKey validationKey="VALUE GOES HERE"
decryptionKey="VALUE GOES HERE"
validation="SHA1"
decryption="AES"/>
</system.web>
Machine Keys should be generated locally - using an online service is not secure. KB Article for generating keys
Orginal ref for all this here http://bitoftech.net/2014/09/24/decouple-owin-authorization-server-resource-server-oauth-2-0-web-api
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With