Web Api OWIN - How to validate token on each request

Question

I have two applications

1. Client application build on ASP.NET MVC
2. Authentication server build on Web API + OWIN

Have planned authentication as follow

1. For user login client app will make a request to authication server with logged in credential.
2. Authication server will generate a token and will send back to client application.
3. Client application will store that token in local storage.
4. for each subsequent request client app will attached token kept in local storage in request header.

NOW, ON SERVER SIDE OF CLEINT APP I NEED TO VALIDATE THAT TOKEN COMES WITH EACH REQUEST IS NOT TEMPERED.

1. Please suggest me how to validate token in each request as i don't know the key the OWIN has used to generate the token.
2. Is is right to write code to validate token on client app or it should be on authication server.
3. I am planning to shift all user management code like register user, change password to authentication server so than we can re-use it for different client app- is it right design practice?

So far i have wrote below code to just to create a POC.

=========================OWIN configuration========

    [assembly: OwinStartup(typeof(WebApi.App_Start.Startup))]
    namespace WebApi.App_Start
    {
        public class Startup
        {
            public void Configuration(IAppBuilder app)
            {
                HttpConfiguration config = new HttpConfiguration();

                ConfigureOAuth(app);

                WebApiConfig.Register(config);
                app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
                app.UseWebApi(config);
            }

            public void ConfigureOAuth(IAppBuilder app)
            {
                OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
                {
                    AllowInsecureHttp = false,
                    TokenEndpointPath = new PathString("/token"),
                    AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
                    Provider = new SimpleAuthorizationServerProvider(),

         };

         // Token Generation

                app.UseOAuthAuthorizationServer(OAuthServerOptions);
                app.UseOAuthBearerAuthentication(new 
 OAuthBearerAuthenticationOptions());

            }
        }
    }

==============================oAuth Provided========================

 public class SimpleAuthorizationServerProvider: OAuthAuthorizationServerProvider
    {
        public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
        {
            context.Validated(); 
        }

        public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
        {


            context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });

            using (AuthRepository _repo = new AuthRepository())
            {
                IdentityUser user =  _repo.FindUser(context.UserName, context.Password);

                if (user == null)
                {
                    context.SetError("invalid_grant", "The user name or password is incorrect.");
                    return;
                }
            }

            var identity = new ClaimsIdentity(context.Options.AuthenticationType);
            identity.AddClaim(new Claim("sub", context.UserName));
            identity.AddClaim(new Claim("role", "user"));

            context.Validated(identity);

        }
    }

Please help,

Thanks,

@Paul

Answer 1

Please suggest me how to validate token in each request as i don't know the key the OWIN has used to generate the token.

Your current setup, were you have added the app.UseOAuthBearerAuthentication() to the owin pipeline, will authenticate the user from the bearer token which is passed on each request for you. The current user can then be found via HttpContext.Current.User.

Use the Authorize attribute to then decide which users are authorized on certain endpoints. Here's an example where users with the role "user" are allowed to access

[Authorize(Roles="user")]
public class ValuesController : ApiController
{
}

Is is right to write code to validate token on client app or it should be on authication server.

NO, you don't validate the token in client, if your user credentials are wrong you wont get a token at all. That's all you need to know. And also, why should you want to validate the token in the client?

I am planning to shift all user management code like register user, change password to authentication server so than we can re-use it for different client app- is it right design practice?

Reusing a token provider is common. Why invent the wheel for every application? Build one great, or use a third party, and reuse it across your applications.

Answer 2

Use JSON Web Tokens (JWT) and claims identities, not random tokens that require keeping track of the issued tokens.

A JWT is like a passport issued by a trusted authority. The passport is signed/stamped, and you can verify that it was issued by this trusted authority and that it has not been tampered with. That means, the integrity of the access-right claim present in the token can be verified without keeping state anywhere. The only communication that needs to happen between the trusting application and the authority is an initial (secure) download of the authority's public key (used for signing the tokens).

It's also advisable that you use a standard claims schema, like OpenID Connect ( http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims )

A good book on the topic, which helped me a lot getting an understanding of all these concepts, can be found here: A Guide to Claims-Based Identity and Access Control.