3

I am looking into using an ASP.net web API to set up request authentication with a bearer token. When you use the OWIN server middle-ware, where is the encryption key coming from? How would the server revoke a token that has not expired?

Glen Selle
  • 3,966
  • 4
  • 37
  • 59
Aaron Fischer
  • 20,853
  • 18
  • 75
  • 116
  • Are you looking at Serve or Client? OAuthAuthorizationServerMiddleware or OAuthBearerAuthenticationMiddleware. In case of client, you need not revoke tokens, just validate. Data Protection Api used as default encryption method. The middleware options need to provide appropriate DataProtectionProvider and/or SecureDataFormat. – jd4u Oct 23 '13 at 05:17
  • I am looking at the server side of accepting and issuing the bearer token – Aaron Fischer Oct 23 '13 at 14:07
  • What is the "encryption key"? Do you mean the access token? – Blaise Nov 27 '13 at 00:54

1 Answers1

5
  1. OWIN ServerMiddleware's default Tiken data protection approach is using DPAPI (Data Protection API)
  2. For revoking tokens at the server side, Token Store need to be implemented. You can use AccessTokenProvider.Create to create and store Token.

Here is an example for such scenario. Take this as an example code snippets.

Register in Startup.cs

 app.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions
        {
            AuthorizeEndpointPath = new PathString("/Authorize"),
            TokenEndpointPath = new PathString("/Token"),
            ApplicationCanDisplayErrors = true,
            Provider = new ApplicationOAuthProvider(PublicClientId, UserManagerFactory),
            AuthorizationCodeProvider = new MyAuthenticationTokenProvider(TokenType.Code),
            AccessTokenProvider = new MyAuthenticationTokenProvider(TokenType.Access),
            RefreshTokenProvider = new MyAuthenticationTokenProvider(TokenType.Refresh),
            AuthorizationCodeFormat = new MyFormatProvider("MyAudiences"),
            AccessTokenFormat = new MyFormatProvider("MyAudiences"),
            RefreshTokenFormat = new MyFormatProvider("MyAudiences"))
        });
    }

Provide Encryption: This is based on the JwtFormat in the Katana project. The JwtFormat.protect() method is still not supported. So you need to create your own implementation.

    //You need to manage your Key in this class
    public class MyFormatProvider: ISecureDataFormat<AuthenticationTicket>
    {
        public MyFormatProvider(string allowedAudiences)
        {
        }
        public string Protect(AuthenticationTicket data)
        {
            return "encrypted";
        }
        public AuthenticationTicket Unprotect(string protectedText)
        {
            return new AuthenticationTicket(new System.Security.Claims.ClaimsIdentity(), new AuthenticationProperties());
        }
    }

Token Provider

    public enum TokenType { Code,Access,Refresh }
    public class MyAuthenticationTokenProvider : AuthenticationTokenProvider
    {
        TokenType tokenType = TokenType.Access;
        public MyAuthenticationTokenProvider(TokenType tokenType)
        {

        }
        public override void Create(AuthenticationTokenCreateContext context)
        {
            /*Create Token, Store Token and Tiket info*/
            context.SetToken("MyToken");/*This will call Your MyFormatProvider internally*/
            base.Create(context);
        }

        public override void Receive(AuthenticationTokenReceiveContext context)
        {
            /*retrieve Token and Tiket info to process*/
            base.Receive(context);
        }
    }
Community
  • 1
  • 1
jd4u
  • 5,789
  • 2
  • 28
  • 28