4

I have been researching for a while now about how to implement an OAuth provider to secure my web api, but without good results.

For what I've seen so far, apparently there are only three libraries to develop an OAuth provider in .net:

1- DotNetOpenAuth 2- DevDefined 3- OAuth.net from madgex

madgex doesn't have any documentation for providers at all, at leats I haven't found anything, same with DevDefined, well, the last one has some documentation, but it lacks samples.

DotnetOpenAuth I think is the one most developers use, but I'm having a hard time to understand its samples, and documentation is terrible.

Has anybody implemented any of these libraries to write an Oauth PROVIDER, NOT CONSUMER, or anyone knows where I can find a decent documentation fro any of these.

For the record im trying to develop a 3-legged oauth provider.

Can anybody help me out here??

Daniel
  • 2,484
  • 4
  • 27
  • 35
  • Are you still working with Madgex? Let me know, i'm working on a project. Could use another Madgex programmer.... – Justin Jul 15 '14 at 21:17

3 Answers3

3

Have you checked out this project template, which although it's MVC 2 should provide some useful ideas for doing it in MVC 3:

http://visualstudiogallery.msdn.microsoft.com/81153747-70d7-477b-b85a-0374e7edabef

Then there is the OAuthServiceProvider sample that comes with DotNetOpenAuth, which is WebForms but the principles are mostly the same.

Andrew Arnott
  • 80,040
  • 26
  • 132
  • 171
  • I have downloaded the source and for 4 hours, I have been trying to run the WPF client. It keeps complaining about the Strong name signature, etc. I removes strong naming and it comes back!! What have you done mate? Does it run a stealth process to put it back? Can you help me please? I just need OAuth which probably takes me 2 days to write but I would prefer to use your software. – Aliostad Oct 28 '11 at 11:37
  • 1
    Dude, don't download the source code. Putting yourself up for punishment that way. Download the shipping binaries (http://sourceforge.net/projects/dnoa/files/releases/v3.4/v3.4.7/ and get the file with "tools" in the name so you get the WPF client) – Andrew Arnott Oct 29 '11 at 03:03
  • Yeah I figured out. You had gone to extreme length to make it untouchable. Man, this is supposed to be open source :) – Aliostad Oct 29 '11 at 08:35
  • I actually haven't done anything to intentionally make it difficult to build. And I actually have instructions on the web site for how to do it. But, it does serve as an effective deterrent against those who want to build it themselves in order to "adjust just one little thing" that would inadvertently open them up to security exploits. – Andrew Arnott Oct 29 '11 at 18:45
1

A good sample of DotNetOpenAuth implementation could be found here Releasing an ASP.NET MVC 3 OpenId StarterKit under Open Source License

Project url: http://mvcopenid.codeplex.com/

It should be good for you to start with.

UPDATE

By the way in ASP.NET MVC 4 third party auth providers it is out of the box.

Community
  • 1
  • 1
angularrocks.com
  • 26,767
  • 13
  • 87
  • 104
0

I have followed the steps mentioned at https://github.com/DotNetOpenAuth/DotNetOpenAuth/wiki/Security-scenarios to implement an OAuth 2.0 authorization service.

I have used the below link to create security certificates: http://www.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development/

Don't forget to change your solution to use the thumbprints from the certificates created by you.

This is the best place to understand the OAuth 2 protocol: https://www.rfc-editor.org/rfc/rfc6749

Community
  • 1
  • 1
Rashmi Pandit
  • 23,230
  • 17
  • 71
  • 111