10

I need to update my MVC process to allow for external OAuth process, as described in tutorials such as this one. However, every tutorial I find uses facebook/twitter/Microsoft, which is already built in functions. I need to use a different server and pass in a token. And I'm a client, not a server.

My setup is using the standard SPA project, with a login and etc. I will have to have it redirect to a page with the refresh token and store that refresh token for my future requests to an API. I have no problem with this, I simply cannot do the first OAuth call. And it seems, I'm not the only one having this trouble.

For this request to the OAuth 2.0 provider, I will have to add an access token to the request, then the user can login and click allow/deny. 

POST {TokenPath} HTTP/1.1
Host: {AuthorizationServer}
Authorization: Basic {ThirdPartyAuthorizationCode}
Content-Type: application/x-www-form-urlencoded

grant_type = authorization_code

Then I will get a response from the POST with access_token and an expiration date.

So, how can do I do that?

ekad
  • 14,436
  • 26
  • 44
  • 46
Kat
  • 2,460
  • 2
  • 36
  • 70
  • See: http://www.oauthforaspnet.com/ – Brendan Green Jun 23 '16 at 21:40
  • @BrendanGreen Hi Brendan, thanks but none of those providers are the ones I'm looking to connect to. It's an internal server. Thanks! – Kat Jun 24 '16 at 15:21
  • See: [ASP.Net MVC: Creating an OAuth password grant type token endpoint](http://www.hackered.co.uk/articles/asp-net-mvc-creating-an-oauth-password-grant-type-token-endpoint) I've done this before (in a different situation) so if that article is useful let me know to post my entire code as an answer – Hamed Jun 24 '16 at 19:28
  • @Hameds I'm sorry, but I'm little confused on how I would be adding the custom header/ token to the request in the "app.UseOauth..." section in the startup. We're not making a provider, we're the client side. Ergo where would I insert the custom header's values? – Kat Jun 27 '16 at 21:27
  • Check Kai Hartmann answer on this thread - http://stackoverflow.com/questions/26755573/how-to-implement-oauth2-server-in-asp-net-mvc-5-and-web-api-2 See if this helps. – Sanket Jun 29 '16 at 04:32
  • How are the authentication data sent from the provider to your application? httpheaders? And what info do you get from the provider? – Marcus Höglund Jun 29 '16 at 06:25
  • 1
    You are trying to use ClientCredentials flow that is intended to be used not with browser, but in backend. Consider using Implicit flow https://aaronparecki.com/2012/07/29/2/oauth2-simplified – Chizh Jun 29 '16 at 15:46
  • @MarcusH They are sent manually when registering as an application externally/manually. – Kat Jun 30 '16 at 17:34
  • @Chizh it's actually the OAuth2 authorization code flow (i.e. grant_type = authorization_code), so unfortunately Implicit wouldn't work in this case. I sadly put the wrong one in the question, and will correct now. – Kat Jun 30 '16 at 17:34
  • Why won't it work? And what do you mean by 'first OAuth call'? – Chizh Jun 30 '16 at 22:57

1 Answers1

3

You can use third-party OAuth tokens on Apigee. To use tokens from third-party OAuth systems in Apigee Edge, you need to do these things:

Configure the OAuthV2 policy that generates tokens with the < ExternalAuthorization> element set to true. If this element is false or not present, then Edge validates the client_id and client_secret normally against the Apigee Edge authorization store. Set the internal flow variable oauth_external_authorization_status to true. If this value is false (or if the variable is not present), Edge assumes that the third-party authorization failed and returns an error message.

Typically, this variable is set to true or false based on a service callout to a third-party authorization service. You can look at the service callout response and set the variable accordingly. Take a look at the ServiceCallout policy for details. Another technique for setting this variable is to use an AssignMessage policy with the AssignVariable element, like this:

  <AssignMessage name="AssignMessage-SetVariable">
<DisplayName>Assign Message - Set Variable</DisplayName>
<AssignVariable>
    <Name>oauth_external_authorization_status</Name>
    <Value>true</Value>
</AssignVariable>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>

Refer the following Link:

Using third-party OAuth tokens

Manraj
  • 496
  • 2
  • 15
  • I'm very unclear on where this would be assigned and how I would insert the token variable in the Oauth authorization request's header. This is a SPA asp.NET application. Where would I insert this code? Is this is the webconfig settings? – Kat Jun 30 '16 at 17:35