c# - OWIN Web api 2 adding additional logic to Bearer authorization -

c# - OWIN Web api 2 adding additional logic to Bearer authorization -

i attempting implement owin bearer token authorization, , based on this article. however, there's 1 additional piece of info need in bearer token don't know how implement.

in application, need deduce bearer token user info (say userid). of import because don't want authorized user beingness able deed user. doable? right approach? if userid guid, simple. it's integer in case. authorized user can potentially impersonate guessing / brute force, unacceptable.

looking @ code:

public void configureoauth(iappbuilder app) { oauthauthorizationserveroptions oauthserveroptions = new oauthauthorizationserveroptions() { allowinsecurehttp = true, tokenendpointpath = new pathstring("/token"), accesstokenexpiretimespan = timespan.fromdays(1), provider = new simpleauthorizationserverprovider() }; // token generation app.useoauthauthorizationserver(oauthserveroptions); app.useoauthbearerauthentication(new oauthbearerauthenticationoptions()); } public class simpleauthorizationserverprovider : oauthauthorizationserverprovider { public override async task validateclientauthentication(oauthvalidateclientauthenticationcontext context) { context.validated(); } public override async task grantresourceownercredentials(oauthgrantresourceownercredentialscontext context) { context.owincontext.response.headers.add("access-control-allow-origin", new[] { "*" }); using (authrepository _repo = new authrepository()) { identityuser user = await _repo.finduser(context.username, context.password); if (user == null) { context.seterror("invalid_grant", "the user name or password incorrect."); return; } } var identity = new claimsidentity(context.options.authenticationtype); identity.addclaim(new claim("sub", context.username)); identity.addclaim(new claim("role", "user")); context.validated(identity); } }

i think possible override authorization / authentication accommodate need?

it seems there's missing in code. you're not validating client.

you should implement validateclientauthentication , check client's credentials there.

this do:

public override async task validateclientauthentication(oauthvalidateclientauthenticationcontext context) { string clientid = string.empty; string clientsecret = string.empty; if (!context.trygetbasiccredentials(out clientid, out clientsecret)) { context.seterror("invalid_client", "client credentials not retrieved through authorization header."); context.rejected(); return; } applicationdatabasecontext dbcontext = context.owincontext.get<applicationdatabasecontext>(); applicationusermanager usermanager = context.owincontext.getusermanager<applicationusermanager>(); if (dbcontext == null) { context.seterror("server_error"); context.rejected(); return; } seek { appclient client = await dbcontext .clients .firstordefaultasync(cliententity => cliententity.id == clientid); if (client != null && usermanager.passwordhasher.verifyhashedpassword(client.clientsecrethash, clientsecret) == passwordverificationresult.success) { // client has been verified. context.owincontext.set<appclient>("oauth:client", client); context.validated(clientid); } else { // client not validated. context.seterror("invalid_client", "client credentials invalid."); context.rejected(); } } grab (exception ex) { string errormessage = ex.message; context.seterror("server_error"); context.rejected(); } }

a article total of details can found here. improve explanation can found in blog series.

update:

i did digging , webstuff right.

in order pass errordescription client need rejected before set error seterror:

context.rejected(); context.seterror("invalid_client", "the info provided not valid !"); return;

or can extend passing serialized json object in description:

context.rejected(); context.seterror("invalid_client", newtonsoft.json.jsonconvert.serializeobject(new { result = false, message = "the info provided not valid !" })); return;

with javascript/jquery client deserialize text response , read extended message:

$.ajax({ type: 'post', url: '<myauthorizationserver>', data: { username: 'john', password: 'smith', grant_type: 'password' }, datatype: "json", contenttype: 'application/x-www-form-urlencoded; charset=utf-8', xhrfields: { withcredentials: true }, headers: { 'authorization': 'basic ' + authorizationbasic }, error: function (req, status, error) { if (req.responsejson && req.responsejson.error_description) { var error = $.parsejson(req.responsejson.error_description); alert(error.message); } } });

c# oauth-2.0 asp.net-web-api2 owin bearer-token