2

(This question can be seen as follow ups to these two StackOverflow posts about OpenAuth with DotNetOpenAuth in a ServiceStack scenario: first and second)

From what I understand, ServiceStack uses an IAuthSession to know which user is authenticated, but this seems to rely on the HTTP session cookie. With OAuth request, no such cookie exist.

Question: I want my ServiceStack requests to be considered authenticated if 1) a the browser cookie is present or 2) if the OAuth Authentication Header Bearer is present. How should I do this?

I tried the following to set the thread's authentication, but it relies on ASP.NET's HttpContext.Current.User.

I'd also like it to work on both IIS hosted and Self-Hosted scenarios...

var analyzer = new StandardAccessTokenAnalyzer((RSACryptoServiceProvider)signCert.PublicKey.Key, (RSACryptoServiceProvider)encryptCert.PrivateKey);
var resourceServer = new ResourceServer(analyzer);
var requestWrapper = new HttpRequestWrapper((HttpRequest)request.OriginalRequest);

var principal = resourceServer.GetPrincipal(requestWrapper, requiredScopes);
HttpContext.Current.User = principal;

Any help is appreciated.

Community
  • 1
  • 1
dstj
  • 4,800
  • 2
  • 39
  • 61
  • Are you creating your custom oAuthProvider by extending out of the box provider? https://github.com/ServiceStack/ServiceStack/wiki/OpenId#creating-a-custom-openid-provider - where is the code written? – Prashant Lakhlani Nov 28 '13 at 05:13
  • No, I created a custom method attribute (`RequireOAuth2ScopeAttribute`) as suggested in the referenced SO post: http://stackoverflow.com/a/18323086/918244 – dstj Nov 28 '13 at 15:25
  • Also, from what I understand (I could be wrong), OAuthProvider classes are the actual openauth clients to use OAuth to login a user (e.g Twitter login, Facebook, etc.) In my case, ServiceStack *IS* the OAuth Provider, some other system is the client. – dstj Nov 28 '13 at 15:52

0 Answers0