1

I understand that ASP.NET Core has the assembly Microsoft.AspNetCore.Authentication.JwtBearer which we can use for token validation. However, I just can't quite understand whether ASP.NET Core built-in middleware can be also used to generate the tokens like we did with Microsoft.Owin.Security.OAuth. Can someone please help me clarify the following questions.

  1. Can we generate and issue tokens using Microsoft.AspNetCore.Authentication.JwtBearer like we did with Microsoft.Owin.Security.OAuth like:

    app.UseOAuthAuthorizationServer(oAuthServerOptions); app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());

    without writing custom code to generate the token?

  2. If we can't do it with Microsoft.Owin.Security, is there any functionality in Microsoft.AspNetCore.Owin that is analogous to Microsoft.Owin.Security.OAuth?

Is using a 3rd party solution like IdentityServer4 the way to go if we I want to use an in-app user store, expose an endpoint for client to get a token and use it for authorization? Thanks.

bravo2zero
  • 129
  • 2
  • 13
  • It's a little old now, but we're still using the principles that I describe in this answer: https://stackoverflow.com/questions/29048122/token-based-authentication-in-asp-net-core/33217122#33217122 – Mark Hughes Jul 19 '18 at 12:46
  • Take a look at [Two AuthorizationSchemes in ASP.NET Core 2](https://wildermuth.com/2017/08/19/Two-AuthorizationSchemes-in-ASP-NET-Core-2) as it covers token generation. – Mark G Jul 19 '18 at 23:31
  • @MarkG Thanks very much for the link. That's really useful! – bravo2zero Jul 20 '18 at 01:39

1 Answers1

0

Can we generate and issue tokens using Microsoft.AspNetCore.Authentication.JwtBearer like we did with Microsoft.Owin.Security.OAuth

Microsoft.AspNetCore.Authentication.JwtBearer is just about JWT token validation. And it is not about OAuth 2.0 and OpenID Connect like it was in Microsoft.Owin.Security.OAuth. Moreover according to this link ASP.NET team decided not to port it.

So, to implement OAuth 2.0 and OpenID Connect you defenetly need to use a third-party package.

For basic scenarios it is convinient to use IdentityServer4 that you mentioned or OpenIddict as an alternative.

For more advanced scenarios I'd prefer ASOS which is used by OpenIddict. BTW, ASOS is forked from Katana's OAuth2 authorization server middleware.

As for Microsoft.AspNetCore.Owin it is not the same as Microsoft.Owin.Security.OAuth. It is just an adapter for running OWIN middleware in an ASP.NET Core application and vice versa

AlbertK
  • 11,841
  • 5
  • 40
  • 36
  • I think `Microsoft.AspNetCore.Authentication.JwtBearer` is just about validation. – adem caglin Jul 19 '18 at 14:21
  • @ademcaglin, you are right. In order to create and sign the token you need to use `System.IdentityModel.Tokens.Jwt` package. Thanks for the correction – AlbertK Jul 19 '18 at 14:51