3

I am using a webapi project as my auth Server and also resource server. The intention is to access the serivice form an Android app. I also want a web front end which is being written in an MVC app. I originally used the default MVC auth but have moved to web pai handing out tokens. I can recieve the auth token form the webapi service and I am sending the token to the client in a cookie although I may just cache is client side. I currently have the following OAuthBearerAuthenticationProvider running:

public class CookieOAuthBearerProvider : OAuthBearerAuthenticationProvider
{
    public override Task RequestToken(OAuthRequestTokenContext context)
    {
        base.RequestToken(context);
        var value = context.Request.Cookies["AuthToken"];
        if (!string.IsNullOrEmpty(value))
        {
            context.Token = value;
        }
        return Task.FromResult<object>(null);
    }    
}

and in my startup class I have this method:

private void ConfigureAuth(IAppBuilder app)
    {

        app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()
        {

            Provider = new CookieOAuthBearerProvider(),

        });
    }

which I call in the Configuration method.

The bit I seem to be missing is how to tap into converting my token into the logged in user. I cant seem to figure out where the deserializtion happens. I have tried changing my configueAuth to:

private void ConfigureAuth(IAppBuilder app)
    {

        app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()
        {

            Provider = new CookieOAuthBearerProvider(),
            AccessTokenProvider = new AuthenticationTokenProvider()
            {

                OnReceive = receive
            }
        });
    }

    public static Action<AuthenticationTokenReceiveContext> receive = new Action<AuthenticationTokenReceiveContext>(c =>
    {
        c.DeserializeTicket(c.Token);
        c.OwinContext.Environment["Properties"] = c.Ticket.Properties;
    });

and my receive method is being called. The AuthenticationTokenReceiveContext has my token attached but the DeserializeTicket is returning null. Can anyone advise what I am missing to get the User details form this token?

UPDATE as per suggested answer below. The Statrup code and OAuthBearerAuthenticationOptions now like like this:

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        ConfigureAuth(app);
        AreaRegistration.RegisterAllAreas();
        FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
        RouteConfig.RegisterRoutes(RouteTable.Routes);
        BundleConfig.RegisterBundles(BundleTable.Bundles);
    }

    private void ConfigureAuth(IAppBuilder app)
    {

        OAuthOpt = new OAuthBearerAuthenticationOptions()
        {

            Provider = new CookieOAuthBearerProvider(),
            AccessTokenProvider = new AuthenticationTokenProvider()
            {

                OnReceive = receive
            }
        };
        app.UseOAuthBearerAuthentication(OAuthOpt);
    }

    public static Action<AuthenticationTokenReceiveContext> receive = new Action<AuthenticationTokenReceiveContext>(c =>
    {
        var ticket = OAuthOpt.AccessTokenFormat.Unprotect(c.Token);

    });

    public static OAuthBearerAuthenticationOptions OAuthOpt { get; private set; }
}

but I am still getting a null value out. Could I be missing some relevant option on the OAuthBearerAuthenticationOptions?

Luthervd
  • 1,388
  • 2
  • 14
  • 25

1 Answers1

4

Try this.

Save the OAuthBearerAuthenticationOptions you are instantiating inline to a static variable named OAuthOpt (or anything you like) in Startup.Auth and use the code below wherever you want to retrieve the user information. 

Microsoft.Owin.Security.AuthenticationTicket ticket = Startup.OAuthOpt.AccessTokenFormat.Unprotect(token);`

I suggest you make use of Json Web Tokens (JWT) and customize the token generation using a CustomOAuthProvider. Here is a good resource from Taiseer Joudeh on how to do this. You will have to use this nuget package to decode the bearer tokens.

su8898
  • 1,703
  • 19
  • 23
  • I wasn't using OAuthorizationServerOptions in Startup Auth. I haven't used the baked in stuff as I wanted to learn how to add this from scratch. At the moment I have only set up UseOAuthBearerAuthentication as I had no need to produce the token in the MVC app. Do I need to set up the OAuthAuthorizationServerOptions before I can deserialize the token? – Luthervd Jan 13 '15 at 12:26
  • HI I have tried this and the value out is still null. I have updated the question with the new code. Perhaps I am missing some relevant option from the OAuthBearerAuthenticationOptions setup? Both webApi and MVC app are running on the same test machine so don't think it is the machine key deserialization issue. – Luthervd Jan 13 '15 at 12:55
  • What's the value of `c.Token` in your `receive` method? – su8898 Jan 13 '15 at 13:36
  • Its the protected token value from the web api project: T-ZM7z0VklZbg1aIDzM_vD4_QG3JRJn-gTq8dWGzljyUTieYxB_pKQRV5yjiESP0C295ZC52mE795R4q3dDVTyijWienTVobx25SZ4i1jJsrTsyMJLYYbHsZyJ992pZrFGgGs9gsfHTdwfY2ISgfI_veuuKnisuwjIPmbQNuWbpIORAIYT-Z_BlobVPCru_Rtl74PQivBxDOFcZ1tDHO_9RZmam32e3FRe6Iod3FIN0 – Luthervd Jan 13 '15 at 14:28
  • Sorry, I think I got something wrong here. Are you trying to deserialize the token from within the MVC client app? – su8898 Jan 13 '15 at 14:35
  • Yes so token is produced in seperate webapi web service and token is sent to MVC app. I am trying to deserialize the token in the MVC app. Appreciate I can attach more info to the token that goes to the client but thought it would be nice to tap into the user info - I presumed this was what was serialized into the token – Luthervd Jan 13 '15 at 14:50
  • Selecting as right answer as the suggested alternative is the right way to achieve what I wanted. It will also make things easier when I try to connect form android. Thanks for the pointer. – Luthervd Jan 13 '15 at 21:16