8

I am successfully using bearer token authentication for asp.net web API as is demonstrated in the default single page application template. But now I want to use the same web API from a different site (a different url).

When I make a request to web API AuthorizeEndpoint(by default /api/Account/ExternalLogin) from different site, I get error: invalid_request. I guess the problem is in the redirect_uri value, since changing that to value of site running on same domain as web api resolves the problem.

ValidateClientRedirectUri method in application OAuthAuthorizationServerProvider doesn't get fired. So based on my search in Katana source the error origin is in OAuthAuthorizationServerHandler.InvokeAuthorizeEndpointAsync.

Does anyone else have the same problems or am I doing something wrong?

Theresa
  • 3,515
  • 10
  • 42
  • 47
uross
  • 93
  • 1
  • 4
  • I'm running into this same issue. Did you ever find a proper solution? – w.brian Mar 07 '14 at 02:01
  • 1
    I didn't. At the end I wrote custom extension to OAuthAuthorizationServerProvider and used that flow instead of implicit grant flow. If you need more information about that I can share it. But I noticed this article after: [http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server](http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server). Didn't have time to read it yet, but maybe there is something useful. – uross Mar 08 '14 at 07:40

2 Answers2

3

The Katana OAuth middleware is not designed to be cross application - it is mainly for "embedding" an OAuth authorization server into the business resource.

If you want a proper (free) authorization server - have a look here: https://github.com/thinktecture/Thinktecture.AuthorizationServer/wiki

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • Thanks for quick answer. Just to clarify. It is not possible to get an access token for web api application, that is using Katana OAuth middleware, from another application (using oauth implicit flow) (with facebook as identity provider)? – uross Feb 10 '14 at 09:31
  • I don't know if it is not possible. But I certainly know that it wasn't designed for this use case. – leastprivilege Feb 10 '14 at 12:39
  • Simply not true, it's very useful in splitting sets and resource api's. – Max Jul 22 '16 at 21:14
  • the token is always for a specific target and cannot be reused over different applications. Only if you use the client credential flow and force target url acceptance in the sts. – Max Jul 22 '16 at 21:16
  • Is this really true??? Then what this post is about http://stackoverflow.com/a/21358918/1129978 – Himalaya Garg Feb 26 '17 at 09:30
-1

The bearer token appears to be a hash into an claims hash, which is local to your application.

We are using a jwt token with a separate validate handler. Works cross application.

Still looking for a better way but for now it works.

jan raak
  • 1