I am developing an application using ASP.Net MVC6 and I would like to implement OAuth 2 auth using bearer tokens. I can't find any solid information on whether or not this is possible. Would anyone be able to point me in the right direction?
Asked
Active
Viewed 6,109 times
3
-
See this [post](http://stackoverflow.com/questions/29055477/oauth-authorization-service-in-asp-net-mvc-6), looks like they didnt include it. – scheien Jun 23 '15 at 18:25
1 Answers
7
TL;DR: the official packages developed by Microsoft for ASP.NET Core only support OAuth2 bearer token validation.
This means that...
... you'll be able to authenticate your users using bearer tokens issued by an external identity provider (like Azure Active Directory) with the
Microsoft.AspNetCore.Authentication.JwtBearerpackage:app.UseJwtBearerAuthentication(new JwtBearerOptions { AutomaticAuthentication = true, Audience = "http://localhost:50000/", // Authority is only useful if your JWT tokens // are issued by an OpenID Connect server. Authority = "[OpenID Connect provider address]", // If you don't use an OpenID Connect server, you have to manually update the // token validation parameters with the issuer's signing key. TokenValidationParameters = new TokenValidationParameters { IssuerSigningKey = new X509SecurityKey(certificate) } });
That said, only JWT tokens are now supported OTB: the OAuth2 bearer middleware shipped with Katana 3 used to natively support opaque tokens produced by the OAuth2 authorization server, but this support has been removed.
- ... you won't be able produce your own tokens anymore. The OAuth2 authorization server has been removed and won't be ported to ASP.NET Core: OAuth Authorization Service in ASP.NET Core.
Luckily, alternatives exist. I'm personally developing an OpenID Connect server middleware based on the OAuth2 server shipped with Katana, that offers the same low-level experience: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server
For more information, you can take a look at this SO answer: Configure the authorization server endpoint
Community
- 1
- 1
Kévin Chalet
- 39,509
- 7
- 121
- 131
-
I'm a bit confused still; can we generate our own JWTs? I'm designing a Web API at the moment and I don't know what I'm going to do being I want to be able to provide authentication tokens. I don't want to have users logging in through a third party like GitHub. – Alex Justi Jul 06 '15 at 05:40
-
With the security middleware offered natively by ASP.NET 5? No. With a third party server? Yes. – Kévin Chalet Jul 06 '15 at 09:02
-
That's a real inconvenience when developing a REST API. I'll probably end up designing my own system. – Alex Justi Jul 06 '15 at 15:52
-
1You should give this sample a look: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/vNext/samples/Mvc/Mvc.Server/Startup.cs#L105-L121. It uses the project I mentioned in my answer (OpenIdConnectServerMiddleware), which is basically the equivalent of `OAuthAuthorizationServerMiddleware` in ASP.NET 5. – Kévin Chalet Jul 06 '15 at 15:54
-
@Pinpoint - know this is a little old , but I can not find any solution anywhere . In your example where is "certificate" defined? I have a string base64 encoded key I used to use , now that I need a cert I am lost at figuring our how to convert the string key I used to use into a 509 cert – Scott Selby Dec 14 '15 at 19:58
-
@ScottSelby the `certificate` variable is a `X509Certificate2` instance (that you can create from a file) but there are other overloads that support extracting the certificate [from an embedded resource in the assembly](https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/dev/samples/Nancy/Nancy.Server/Startup.cs#L102-L105) or from the X509 machine store (the best option). That said, I'm not sure your "base64-encoded key" is a X509 certificate. If you want to generate your own certificate, please take a look at https://msdn.microsoft.com/en-us/library/ff699202.aspx. – Kévin Chalet Dec 14 '15 at 20:27