52

In our Startup class, I have configured the following auth server options:

OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
{
    AllowInsecureHttp = true,
    TokenEndpointPath = new PathString("/api/v1/token"),
    AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
    Provider = new SimpleAuthorizationServerProvider()
};

After this, which option are we supposed to use to actually enable bearer authentication? There seem to be two variations on the Internet.

Option 1:

app.UseOAuthAuthorizationServer(OAuthServerOptions);
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());

Option 2:

app.UseOAuthBearerTokens(OAuthServerOptions);

I have tested them both and the results are the same.

What are the difference between these options? When are we supposed to use which?

Dave New
  • 38,496
  • 59
  • 215
  • 394

1 Answers1

55

The UseOAuthBearerTokens extension method creates both the token server and the middleware to validate tokens for requests in the same application.

Pseudocode from source using reflector:

UseOAuthAuthorizationServer(); // authorization server middleware
UseOAuthBearerAuthentication(ApplicationOAuthBearerProvider); // application bearer token middleware           
UseOAuthBearerAuthentication(ExternalOAuthBearerProvider); // external bearer token middleware
Alberto Spelta
  • 3,578
  • 2
  • 21
  • 20