Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

what is the difference between ValidateClientAuthentication method and GrantResourceOwnerCredentials method in oAuth of OWIN?

I am beginner to oauth and owin in .NET. I was trying to understand these methods ValidateClientAuthentication method and GrantResourceOwnerCredentials method. I understood that GrantResourceOwnerCredentials method can be used to validate credentials and generate token. Then, what is the purpose the method ValidateClientAuthentication(). kindly guide me regarding this. Thanks a lot.

 public override Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
        {
            return Task.Factory.StartNew(() =>
            {
                var userName = context.UserName;
                var password = context.Password;
                var userService = new UserService(); // our created one
                var user = userService.ValidateUser(userName, password);
                if (user != null)
                {
                    var claims = new List<Claim>()
                    {
                        new Claim(ClaimTypes.Sid, Convert.ToString(user.Id)),
                        new Claim(ClaimTypes.Name, user.Name),
                        new Claim(ClaimTypes.Email, user.Email)
                    };
                    ClaimsIdentity oAuthIdentity = new ClaimsIdentity(claims,Startup.OAuthOptions.AuthenticationType);


                    var properties = CreateProperties(user.Name);
                    var ticket = new AuthenticationTicket(oAuthIdentity, properties);
                    context.Validated(ticket);
                }
                else
                {
                    context.SetError("invalid_grant", "The user name or password is incorrect");
                }
            });
        }
        #endregion

        #region[ValidateClientAuthentication]
        public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
        {
            if (context.ClientId == null)
                context.Validated();

            return Task.FromResult<object>(null);
        }
        #endregion
like image 492
Brillia Avatar asked Dec 26 '17 05:12

Brillia


1 Answers

This is related to Client Credentials Flow vs. Resource Owner Password Credentials Flow in the OAuth 2.0 spec

Remember that clients and resource owners are distinct entities under OAuth. Clients make requests on behalf of a resource owner.

In practice, you would want to use GrantResourceOwnerCredentials when you expect to accept an actual username and password and issue an access token.

ValidateClientAuthentication should be used to make sure that the client is what it says it is. You would do this perhaps if have registered the client to an authorization server and need to verify that it is still valid.

Most code samples I've seen just call context.Validated() as you've done in your sample. I was able to find one blog post with a code sample that dives a little deeper. Check it out here: http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/

like image 55
Brian Merrell Avatar answered Sep 30 '22 01:09

Brian Merrell