sharing keys across owin self hosted processes

3
votes

I'm trying to create a token server for a few selfhosted owin services (console applications)

However, this seems like its only possible if I host in IIS:

The data format used to protect the information contained in the access token. If not provided by the application the default data protection provider depends on the host server. The SystemWeb host on IIS will use ASP.NET machine key data protection, and HttpListener and other self-hosted servers will use DPAPI data protection. If a different access token provider or format is assigned, a compatible instance must be assigned to the OAuthBearerAuthenticationOptions.AccessTokenProvider or OAuthBearerAuthenticationOptions.AccessTokenFormat property of the resource server. - MSDN

Is there any way to share keys across servers if I'm self hosting by sharing some kind of key in the app.config like how I can share a machine key via web.config? If not, that would mean the only option left is to implement my own AccessTokenProvider (assuming I still use the built in OAuth server and self host)?

2
oauthowinself-hosting
Hi @ton.yeung. Did you find a solution for this problem?jpsfs
yes, you generate the keys yourself and register them in the owin pipeline yourself. The answer is moot though since the built in OAuth Server is not being updated for use with MVC 6. I would look into a different OAuth solution for long term use.ton.yeung

2 Answers

0
votes

I've found this answer, which gives an idea on how you can use machine key in self-hosted OWIN app. Please note that a reference to System.Web is required.

After adding MachineKeyProtectionProvider and MachineKeyDataProtector, I just add the protection provider as below.

//...

app.SetDataProtectionProvider(new MachineKeyProtectionProvider());
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
                                 {
                                      AuthenticationMode = AuthenticationMode.Active
                                 });
app.UseWebApi(config);

The difficult moment for me here was that the order of initialization matters: UseWebApi should come after SetDataProtectionProvider

0
votes

I've tried MachineKey protection to no avail under Self-Hosted Web API. What finally worked for me is to specify a DPAPI Protection Provider in both projects:

app.SetDataProtectionProvider(new DpapiDataProtectionProvider("myApp"));

HTH