OWIN - Bind application information to the auth server
I followed the tutorial I found here for setting up an authorization server separate from my client application. http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
I can give an example of it and work, but I feel that I am missing a few steps for my application.
I would like this authorization server to provide oauth tokens to be used by a separate project (and possibly several others) to authenticate users. I understand that this is the separation of the authorization logic and business logic, but I'm not sure how to actually create user pairs in the auth server for the users in the application.
For example, when a user creates an account for the first time, they will send their username / password to the authorization server. At what point does the application also create its own user information (empty profile and settings, etc.), and how can I then store the application user id with the authorization information? I tried adding the UserID client as a claim on the auth server, but I'm not sure if I fully understand what this means, or if this is the correct approach.
Basically, I think I should be able, but not sure how, in my ASP.Net WebApi application, it should accept the authorization: Bearer <token> and somehow the UserID can be captured (related to this particular application) from the authorization server. The second, unrelated application should be able to accept the same access token and get its own UserID (assuming the user has an account in both applications) from the auth server.
Am I looking at this correctly? How to associate user IDs of different applications with users created on the auth server?
source to share
Assuming I understand what you are trying to do correctly, if you are using Microsoft's OAuth Owin implementation, you should simply override the OAuthAuthorizationServerProvider and then override the appropriate Grant * ().
See http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server for details .
If you're just using the ResourceOwner, it's pretty straight forward:
public override Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
var user = ...;
if (!PasswordProvider.ValidatePassword(context.Password, user.Password))
{
context.SetError("invalid_grant", "The password is incorrect.");
return Task.FromResult<object>(null);
}
// Build Claims Identity
var identity = new ClaimsIdentity(OwinAuthConfig.OAuthAuthorizationOptions.AuthenticationType);
identity.BuildClaims(user);
// Create the Properties
var properties = CreateProperties(user);
// Create the ticket and process it.
var ticket = new AuthenticationTicket(identity, properties);
context.Validated(ticket);
return Task.FromResult<object>(null);
}
In cases where the assembly claims look something like this:
public static class ApplicationOAuthProviderHelper
{
public static void BuildClaims(this ClaimsIdentity identity, User user)
{
var claims = new List<Claim>
{
new Claim(ClaimTypes.Name, user.Username),
new Claim(ClaimTypes.NameIdentifier, user.UserId.ToString())
};
// Get custom claims, like user app ids.
// ex. Claim { ClaimType = "app1/UserId", Value = "34242" }
var externalAppClaims = MagicalFunctionThatGetsExternalClaims(user);
foreach(var claim in externalAppClaims)
{
claims.Add(new Claim(claim.ClaimType, claim.Value));
}
identity.AddClaims(claims);
}
}
Which can then be used in a Web API controller like:
var userIdString = (User.Identity as ClaimsIdentity).FindFirst("app1/UserId");
Let me know if this doesn't answer your question!
source to share