OWIN OAuth Authorization Server and individual accounts

2
votes

I have an application that has been under developpment for quite a while now. We used OWIN with individual accounts. The application is asp.Net MVC with WebApi and AngularJs frontend.

The API grew quite a lot and we have cases where we need to give access to clients to the API directly.

Problem is that it is secured using CookieAuthentication.

I would like to use the OAuth that is packaged with OWIN and directly available (though a lot of the implementation is up to the developer as it looks like).

Is it possible to add implementation of the Authorization server (http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server) in the same application or should I deploy another server?

The whole thing is that nothing should change for the users of the web site that is currently deployed, this is just an extra feature to help API security.

Thanks

1
asp.net-mvcoauth-2.0owin

1 Answers

1
votes

Yes it's possible to implement your Authorization Server to grant client access to your API.

OAuthOptions = new OAuthAuthorizationServerOptions
            {
                TokenEndpointPath = new PathString("/OAuth/Token"),
                AuthorizeEndpointPath = new PathString("/Api/Account/ExternalLogin"),
                Provider = new MyOAuthAuthorizationServerProvider()
            };

I leave the implementation of the OAuthAuthorizationServerProvider to you but you can find some inspiration with the Thinktecture Identity project.

Last step is to register your new middleware:

// Enable the application to use bearer tokens to authenticate users (Authorization Server and Resource Server)
app.UseOAuthBearerTokens(OAuthOptions);

You can then send requests to your API with the access token you received from your OAuth provider using the 'client_credentials' grant type.

Hope it helped.