I'm trying to create a simple proof of concept OAuth enabled application but am stuck on the authorization code implementation. Everywhere I read seems like it goes in one way or another, never actually using the authorization code flow. I've been using the following resources for information:
- https://tools.ietf.org/html/draft-ietf-oauth-v2-31
- https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified
- http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server
I have setup web api and owin with a custom OAuthAuthorizationServerProvider to accept password grant types for refresh tokens and the ability to exchange a refresh token for an access token. This is working well, but I want to setup a scenario where I redirect a browser to the server to authorize and redirect back to the client with an authorization code. I then want the client to sent the authorization code to the token endpoint to get a refresh token
In the second link under Web Server Apps, I'm trying to get my web api app to surface an authorization code from a request like, http://127.0.0.1/auth?response_type=code&client_id=123&redirect_uri=http://validredirect.com&scope=access, but I keep getting a 404.
I've configured owin as follows:
var databaseContext = new AdnsfContext();
WebApp.Start(
new StartOptions("http://127.0.0.1:7000"),
appBuilder =>
{
var httpConfig = new HttpConfiguration();
httpConfig.MapHttpAttributeRoutes();
httpConfig.SuppressDefaultHostAuthentication();
httpConfig.Filters.Add(new HostAuthenticationFilter("Bearer"));
appBuilder
.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions
{
AllowInsecureHttp = true,
ApplicationCanDisplayErrors = true,
AuthorizeEndpointPath = new PathString("/auth"),
TokenEndpointPath = new PathString("/token"),
AuthorizationCodeExpireTimeSpan = TimeSpan.FromMinutes(1),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(1),
Provider = new AuthServerProvider(),
AuthorizationCodeProvider = new AuthorizationCodeProvider(),
RefreshTokenProvider = new RefreshTokenProvider(),
})
.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
{
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
AuthenticationType = "Bearer",
})
.UseCors(CorsOptions.AllowAll)
.UseWebApi(httpConfig);
});
The pieces I've added to enable the authorization endpoint are the properties for the auth server options:
AuthorizeEndpointPath = new PathString("/auth"),
AuthorizationCodeExpireTimeSpan = TimeSpan.FromMinutes(1),
AuthorizationCodeProvider = new AuthorizationCodeProvider(),
The overrides in my implementation of the AuthorizationCodeProvider throw not implemented exceptions but it's currently not even hitting any breakpoints set in the code. One thing to note is that when I use postman to hit the auth endpoint, I get a server header back for HTTPAPI/2.0 which is different than if there simply isn't something surfaced at that endpoint, which means I must be sending the request incorrectly. Can anyone see a problem with my setup? Thanks in advance, I know that this is clearly my failing in understanding OWIN and OAuth.
