Now i am in learning stage of owin bearer token authentication in Web API. The code is implemented with token and cookie based authentication. The code is
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
try
{
using (UserManager<ApplicationUser> userManager = userManagerFactory())
{
ApplicationUser user = await userManager.FindAsync(context.UserName, context.Password);
if (user == null || user.IsDeleted)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
ClaimsIdentity oAuthIdentity = await userManager.CreateIdentityAsync(user,
context.Options.AuthenticationType);
ClaimsIdentity cookiesIdentity = await userManager.CreateIdentityAsync(user,
CookieAuthenticationDefaults.AuthenticationType);
var roleName = await GetRoleName(user.Roles.First().RoleId);
AuthenticationProperties properties = CreateProperties(user.UserName, roleName);
AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties);
context.Validated(ticket);
context.Request.Context.Authentication.SignIn(cookiesIdentity);
}
}
catch (Exception ex)
{
throw ex;
}
}
public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
// Resource owner password credentials does not provide a client ID.
if (context.ClientId == null)
{
context.Validated();
}
return Task.FromResult<object>(null);
}
public override Task ValidateClientRedirectUri(OAuthValidateClientRedirectUriContext context)
{
if (context.ClientId == _publicClientId)
{
Uri expectedRootUri = new Uri(context.Request.Uri, "/");
if (expectedRootUri.AbsoluteUri == context.RedirectUri)
{
context.Validated();
}
}
return Task.FromResult<object>(null);
}
The code is implemented by colleague and i have some doubts.
Token authentication is based on the generated token. I generated a token for my user, whose role is 'Admin'. Now i can access restricted action as the user has 'Admin' role. But after that i changed the role to 'User' for the same old user. Now with the same old token i can access the resource even he is not in 'Admin' now. Actually i read some articles that this is implemented with extra custom logic. its ok
Now i changed the user password to some other password. Now itself, i can access the resource with same old token. I think this is not good even i create short lived tokens also.
Anyone please guide to arrest this or i missed anything? Which method actually call when i call an action with 'Authorization' header