2
votes

Now i am in learning stage of owin bearer token authentication in Web API. The code is implemented with token and cookie based authentication. The code is

public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
    {
        try
        {

              using (UserManager<ApplicationUser> userManager = userManagerFactory())
                {

                    ApplicationUser user = await userManager.FindAsync(context.UserName, context.Password);


                    if (user == null || user.IsDeleted)
                    {
                        context.SetError("invalid_grant", "The user name or password is incorrect.");
                        return;
                    }

                    ClaimsIdentity oAuthIdentity = await userManager.CreateIdentityAsync(user,
                        context.Options.AuthenticationType);
                    ClaimsIdentity cookiesIdentity = await userManager.CreateIdentityAsync(user,
                        CookieAuthenticationDefaults.AuthenticationType);

                    var roleName = await GetRoleName(user.Roles.First().RoleId);

                    AuthenticationProperties properties = CreateProperties(user.UserName, roleName);
                    AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties);
                    context.Validated(ticket);
                    context.Request.Context.Authentication.SignIn(cookiesIdentity);
                }

        }
        catch (Exception ex)
        {

            throw ex;
        }
    }

        public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
        {
            // Resource owner password credentials does not provide a client ID.
            if (context.ClientId == null)
            {
                context.Validated();
            }

            return Task.FromResult<object>(null);
        }

        public override Task ValidateClientRedirectUri(OAuthValidateClientRedirectUriContext context)
        {
            if (context.ClientId == _publicClientId)
            {
                Uri expectedRootUri = new Uri(context.Request.Uri, "/");

                if (expectedRootUri.AbsoluteUri == context.RedirectUri)
                {
                    context.Validated();
                }
            }

            return Task.FromResult<object>(null);
        }

The code is implemented by colleague and i have some doubts.

  1. Token authentication is based on the generated token. I generated a token for my user, whose role is 'Admin'. Now i can access restricted action as the user has 'Admin' role. But after that i changed the role to 'User' for the same old user. Now with the same old token i can access the resource even he is not in 'Admin' now. Actually i read some articles that this is implemented with extra custom logic. its ok

  2. Now i changed the user password to some other password. Now itself, i can access the resource with same old token. I think this is not good even i create short lived tokens also.

Anyone please guide to arrest this or i missed anything? Which method actually call when i call an action with 'Authorization' header

1

1 Answers

0
votes

Well there is no “direct” way to revoke granted access tokens or do “logoff”. if the user has the token then he can access the secured server resources until the token is expired. The indirectway is to store token_id for each token granted to the user in a database and do DB checks with each call which is something I do not recommend.

So in some situations it is better to use the refresh tokens along with the access token. So you issue short lived access token (15) mins and you use the refresh token to obtain new access tokens. The nice thing here that refresh tokens can be revoked from the backend system so there is control on them.

Check my post on how to enable OAuth refresh tokens in ASP.NET Web API