70

In Web API 2, you used to be able to create an endpoint to issue a token by setting up an OAuth Authorization Server via middleware like below:

//Set up our auth server options.
var OAuthServerOptions = new OAuthAuthorizationServerOptions()
            {
                AllowInsecureHttp = true,
                TokenEndpointPath = new PathString("/token"),
                AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
                Provider = new SimpleAuthorizationServerProvider()
            };

 // Sets up the token issue endpoint using the options above
 app.UseOAuthAuthorizationServer(OAuthServerOptions);

Perhaps I'm missing it, but I'm trying to figure out how to do this in ASP.NET Core. I've looked through the source (https://github.com/aspnet/Security) but I don't really see anything analogous. Is there a new way to accomplish this? Do I need to just create a controller and do it myself?

I see how OAuth Authentication can be set up via Middleware, but this regards the authorization portion where I issue claims from my API.

Set
  • 47,577
  • 22
  • 132
  • 150
swannee
  • 3,346
  • 2
  • 24
  • 40
  • perhaps this could help. it's an answer with thinktecture's identity server : http://stackoverflow.com/questions/29360563/asp-net-5-oauth-bearer-token-authentication/29487480#29487480 – Cedric Dumont Apr 07 '15 at 08:51
  • Thanks @CedricDumont, I was looking for something integrated, but I've considered Thinktecture. End of day that may be what I go with. It's very solid. – swannee Jun 12 '15 at 02:18

2 Answers2

88

EDIT (01/28/2021): AspNet.Security.OpenIdConnect.Server has been merged into OpenIddict as part of the 3.0 update. To get started with OpenIddict, visit documentation.openiddict.com.

Don't waste your time looking for an OAuthAuthorizationServerMiddleware alternative in ASP.NET Core, the ASP.NET team simply decided not to port it: https://github.com/aspnet/Security/issues/83

I suggest having a look to AspNet.Security.OpenIdConnect.Server, an advanced fork of the OAuth2 authorization server middleware that comes with Katana 3: there's an OWIN/Katana 3 version, and an ASP.NET Core version that supports both the full .NET framework and .NET Core.

https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server

ASP.NET Core 1.x:

app.UseOpenIdConnectServer(options =>
{
    options.AllowInsecureHttp = true;
    options.TokenEndpointPath = new PathString("/token");
    options.AccessTokenLifetime = TimeSpan.FromDays(1);
    options.TokenEndpointPath = "/token";
    options.Provider = new SimpleAuthorizationServerProvider();
});

ASP.NET Core 2.x:

services.AddAuthentication().AddOpenIdConnectServer(options =>
{
    options.AllowInsecureHttp = true;
    options.TokenEndpointPath = new PathString("/token");
    options.AccessTokenLifetime = TimeSpan.FromDays(1);
    options.TokenEndpointPath = "/token";
    options.Provider = new SimpleAuthorizationServerProvider();
});

To learn more about this project, I'd recommend reading http://kevinchalet.com/2016/07/13/creating-your-own-openid-connect-server-with-asos-introduction/.

Good luck!

Kévin Chalet
  • 39,509
  • 7
  • 121
  • 131
  • 1
    This is really what I was looking for...perhaps this question will help other people find this project. Thanks to those working on this! – swannee Mar 19 '15 at 14:11
  • You're welcome! It's still a young project, but I hope to release a RC version soon on NuGet.org (I still need to introduce a few breaking branches in the vNext version, that I also want to backport to OWIN/Katana 3, so it might need a few weeks more). Don't hesitate to ping me here, on GitHub or on JabbR if you have any question or if you want to share your feedback ;) – Kévin Chalet Mar 19 '15 at 19:03
  • @Pinpoint, you've been doing some impressive work there! I managed to build out a token provider using the default packages, and detailed it here: http://stackoverflow.com/a/29698502/195653, but I feel like the OpenIdConnect server is probably the better way to go! – Matt DeKrey Apr 17 '15 at 12:17
  • older question, but you might want to also check out IdentityServer4 - it just entered beta for Asp.Net Core http://leastprivilege.com/2016/01/11/announcing-identityserver-for-asp-net-5-and-net-core/ – Ron DeFreitas Feb 19 '16 at 22:39
  • 3
    Can I implement same functionality in .NET core 2.0, I tried but getting error TypeLoadException: Could not load type 'Microsoft.AspNetCore.Builder.AuthenticationOptions' from assembly 'Microsoft.AspNetCore.Authentication, Version=2.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60'. – NikhilGoud Sep 14 '17 at 12:23
  • The AspNet.Security.OpenIdConnect.Server project hasn't been updated in almost a year, so it seems to have been abandoned. The same author seems to have replaced it with https://github.com/openiddict/openiddict-core. – computercarguy Aug 29 '19 at 23:55
  • @computercarguy OpenIddict 1.x/.2x uses AspNet.Security.OpenIdConnect.Server (aka ASOS) internally. Starting with 3.0, ASOS will indeed be merged into OpenIddict (it's still a WIP). More information there: https://github.com/openiddict/openiddict-core/issues/736 – Kévin Chalet Aug 30 '19 at 00:20
  • can this be made to work with asp.net core on .net 6? – Stephen Swensen Sep 21 '22 at 17:43
4

For anyone still looking for the original OAuth Authorization Server in ASP.NET 5, I have ported the code and the original sample here: https://github.com/XacronDevelopment/oauth-aspnet

The port includes backwards compatibility to allow ASP.NET 4.x resource servers to read the access tokens created by the authorization server.

The nuget packages are here: https://www.nuget.org/packages/OAuth.AspNet.AuthServer https://www.nuget.org/packages/OAuth.AspNet.Tokens https://www.nuget.org/packages/OAuth.Owin.Tokens

Xacron
  • 341
  • 4
  • 11
  • 11
    Katana's authorization server had many unsolved bugs, still listed on the Codeplex tracker. I took a brief look at your fork and it seems that you've fixed none of them. If you're still looking for the "original authorization server", take a look at `AspNet.Security.OpenIdConnect.Server`, it offers the same experience but fixes all the known bugs Katana's server had. – Kévin Chalet Sep 30 '15 at 18:07