0

I am trying to implement server for issuing web tokens using ASP.NET WebApi. I've found great tutorial on how to do this step by step, and everything is working fine, except I need to change some values in HTTP response.

This is a picture of a call where user credentials are checked and if user exists in database he gets token, if he doesn't he gets HTTP 401 Error.

enter image description here

Here is also closer picture of body of response, cause it is too small on previous picture:

enter image description here

My question is: Is there any chance to change name of access_token property inside returned JSON to auth_token. I need to use different name because, later in the project I will have one more token and it's name has to be access_token too. My second question is: Can I changed date format for .issued and .expires properties? For example to yyyy-MM-dd?

I've used this tutorial http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/

So the code is exact same. I am trying to track creation of response with debugger, but I don't have clear vision where it could be. I guess it is inside of SimpleAuthorizationServerProvider class, but I can't find explicit setup of this properties anywhere in project, so I guess that response creates automatically.

Panagiotis Kanavos
  • 120,703
  • 13
  • 188
  • 236
nemo_87
  • 4,523
  • 16
  • 56
  • 102
  • I have not done this before but you could consider transforming the response before its sent to the client? – Intrepid Feb 25 '15 at 07:55
  • @Intrepid The problem is that I've never used security in WebApi(or WebApi), and I'm not sure how or where to do that...:( – nemo_87 Feb 25 '15 at 07:56
  • All the information is being created by something that is creating Claims... so look for that. It will be doing a `context.Validated`. Its all about setting up the Identity. – Callum Linington Feb 25 '15 at 08:07
  • @CallumLinington No, I don't want to change it in JavaScript, that has no use at all... I want to find out how to change it in WebApi before it is send to client... – nemo_87 Feb 25 '15 at 08:08
  • Why do you want to change the names of these properties? If they are part of OAuth, they are expected to have these specific names and formats. They aren't meant for display – Panagiotis Kanavos Feb 25 '15 at 08:09
  • Like @PanagiotisKanavos it is all OAuth producing this as a standard. – Callum Linington Feb 25 '15 at 08:10
  • @PanagiotisKanavos Don't know is it proper place to say...But I think that my boss don't have a clue on what he wants... I was also pretty sure that this properties are part of standard, too...:-/ – nemo_87 Feb 25 '15 at 08:11
  • Before blaming the boss try to understand the real requirement. There may be a need to use a different protocol, display the data somewhere or store it. Web API supports many authorization providers and you can even create your own. The article shows using just one type of token. What kinds of tokens do you want to issue? – Panagiotis Kanavos Feb 25 '15 at 08:17
  • @PanagiotisKanavos Implementation says: No matter what token... So I can use this one too. – nemo_87 Feb 25 '15 at 08:27
  • Consider that if you do change the property names in the OAuth response you would still have to change them back to their original names before the request reaches OAuth. Having said that I don't see the benefit in changing the property names. – Intrepid Feb 25 '15 at 08:36
  • @Intrepid yes, I realize that, and it is a messy, pointless work too...Thanks for advises all :) – nemo_87 Feb 25 '15 at 08:38
  • @PanagiotisKanavos if you really need to do this you could take a look at [this](http://www.strathweb.com/2012/05/implementing-message-handlers-to-track-your-asp-net-web-api-usage/) which explains how to change HTTP responses, but I'd advise against doing this for reasons discussed here. – Intrepid Feb 25 '15 at 08:52

1 Answers1

1

While changing the name or the format of the standard token response parameters is definitely not a good idea, here's a way to do it anyway: https://stackoverflow.com/a/28683971/542757

Basically, you'll have to use the TokenEndpointResponse notification and provide your own JSON payload. Sadly, there's a bug that prevents it from working with the OAuth2 authorization server built in Katana 3. You can take a look at a fork I developed with @manfredsteyer ; it includes a fix that allows this kind of scenario: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/tree/dev

Community
  • 1
  • 1
Kévin Chalet
  • 39,509
  • 7
  • 121
  • 131