0
votes

The documentation is very sparse in this area, which means I can't find a clear answer anywhere. If I'm not mistaken, when using cookie authentication in an MVC app, the cookie contains the encrypted info that is decrypted and seeded into the Principal on each request. Is the same thing happening with Bearer Tokens? Does the token contain all the info that goes into the Principal? How does it work behind the scenes? I'm sorry if this is a dumb question, but I find the current authentication/authorization implementation in Asp.Net MVC and web api very confusing, and there is not a lot of good documentation out there.

1

1 Answers

0
votes

From my understanding, your pretty much correct.

When authenticating the user's credentials, you extend the OAuthAuthorizationServerProvider class overriding the GrantResourceOwnerCredentials method; where you then create a ClaimsIdentity instance and pass it into an AuthenticationTicket.

The ClaimsIdentity (and any assigned claims and data) is then encrypted and sent as part of the "access_token" section of the response.

Microsoft's OWIN authentication middleware looks after plumbing of encrypt/decrypt and serialization process. For IIS hosted scenarios the encryption uses the machineKey in machine.config. For self host, OWIN falls back to the data protection api

On his blog, Brock Allen provides some very good insight and explanation of Microsoft's OWIN authentication middleware and what is going on behind the scenes. I would read here and here for further details