2

I would like to know how to use the same token from two sites (Angularjs Tool + api) to an (MVC Tool + api):

That's the structure of my project:

1. Angular Tool "Main Site"

I'm using the (2. Authoritzation API) to be authorized and the (3. Angular Tool Api) to retrieve data. The user could be redirect to the (4. MVC Tool +API)

2. Authoritzation API

I'm going to google in order to validate the user and once the user is valid I'm generating an OAuthBearerAuthentication that will be used for the (1. Angular Tool)

3. Angular Tool API

In order to know that the user is authorized I'm using owin, so in each request I'll find attached on the header the token generated on the (2.Authoritzation API)

4. MVC Tool + API "Second Site"

That's another application completly different but I would like to use the same token that I'm using on the (1. Angular Tool) Main site, that means that from the Main application I'll be redirect here.

I would like to let the 2 Site (MVC and API Controllers) work with the same credentials but I have not found a good way to share the token and do that.

user1520494
  • 1,134
  • 2
  • 11
  • 27

1 Answers1

3

In order to share tokens you need to use an ISecureDataFormat<AuthenticationTicket> that both applications understand.

This can be easily achieved with the default TicketDataFormat and an implementation of an IDataProtector that will be able to Protect/Unprotect identically on both sites.

OWIN(Katana) uses a DpapiDataProtector tied to the CurrentUser and the 'host.AppName' app property which makes it unique unless you set both sites to have the same name and the same user, which is not ideal.

But implementing your own protector is easy enough. Here is an implementation that will protect the data with a LocalMachine scope.

using System.Security.Cryptography;
using Microsoft.Owin.Security.DataProtection;

namespace MyApp.Owin
{
    public class LocalMachineDpapiDataProtector : IDataProtector
    {
        private readonly DpapiDataProtector protector;

        internal LocalMachineDpapiDataProtector(string appName, string[] purposes)
        {
            protector = new DpapiDataProtector(appName, "Microsoft.Owin.Security.DataProtection.IDataProtector", purposes)
            {
                Scope = DataProtectionScope.LocalMachine
            };
        }

        public byte[] Protect(byte[] userData)
        {
            return protector.Protect(userData);
        }

        public byte[] Unprotect(byte[] protectedData)
        {
            return protector.Unprotect(protectedData);
        }
    }
}

And here is how to setup both your Authentication server and middleware.

Auth server:

var ticketDataFormat = 
    new TicketDataFormat(
        new LocalMachineDpapiDataProtector(
            "MyApp",
            new string[] { "OAuth" }));

app.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions
{
    /*... your auth server settings*/
    AccessTokenFormat = ticketDataFormat
});

Auth middleware:

//note that we use a data format that is setup in the same manner
var ticketDataFormat = 
    new TicketDataFormat(
        new LocalMachineDpapiDataProtector(
            "MyApp",
            new string[] { "OAuth" }));

app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
{
    /*... your auth middleware settings*/
    AccessTokenFormat = ticketDataFormat
});

Note that by using this LocalMachineDpapiDataProtector you need to deploy both site on the same machine. If not you would need to use an IDataProtector with a different protection strategy. See this implementation of AesDataProtector.

Community
  • 1
  • 1
Angel Yordanov
  • 3,112
  • 1
  • 22
  • 19