ASP.NET Identity bearer token. is it persistent?

4
votes

I walkthrough http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api tutorial to implement ASP.NET WebApi Bearer Token authentication.

As I access to [Authorize] methods with published bearer token after I stop/restart/deploy on Azure WebSite, it still can access to them. Moreover, I can access with two different devices (different tokens for same identity), still can access.

I don't know deep inside of token identication mechanism, but seems like the published bearer tokens do not be maintained in server memory nor in database.

My question can be summarized as below...

  1. Does bearer token include my identity persistently and acknowledge me until I reauthorize (based on the above tutorial)?
  2. what are the information to be mixed-and-hashed to make a bearer token? only my relm, identity, and timestamp? or server key (I know former ASP.NET membership use server key in registry)?
  3. what if I deploy to multiple servers as WebRoles? do they still acknowledge published tokens among others?
  4. is there maxinum number of identifiable tokens per identity?
1
c#azureasp.net-web-apiasp.net-identity-2

1 Answers

2
votes
  1. A bearer token doesn't acknowledge you, the oauth token provider endpoint acknowledges you with a bearer token. The token will persist and identify you until it expires (default 10 minutes). In this example app it was set to 14 days see AccessTokenExpireTimeSpan = TimeSpan.FromDays(14)
  2. It may also include some of the request itself.
  3. The example app uses an OWIN middleware implementation for the OAuth token provider, see app.UseOAuthBearerTokens(OAuthOptions); This is on a per server basis, and there are other token providers to support multiple instances of a server e.g. facebook, google, microsoft account, twitter, or you can roll your own.
  4. It would depend on the token provider but with most you can have multiple sessions with the same identity.