Can't figure out if OWIN is intercepting requests to api from client

0
votes

I have an Asp.net webapi with JWT authentication using OWIN middle ware. My resource server and the authorization server are same. I am able to get the token from the token endpoint. ValidateClientAuthentication and GrantResourceOwnerCredentials methods are hit successfully. However when I try to access a protected(with [Authorize]) api (with authorization header set to bearer token) I only get "Authorization has been denied for this request".

I have overridden ValidateAuthorizeRequest method just to see if it gets hit when the api call is made via Postman. However it is never hit.

I am trying to figure out a way to see if at all OWIN is intercepting calls to the api other than the calls to the token endpoint.

Is there any way or methods to override so that I can debug and see where in the pipeline the request is being rejected and why.

As of now I make the call via Postman and get an unauthorized response.

Any help would be greatly appreciated.

1
asp.net-web-apiasp.net-web-api2owinjwtkatana
Two questions: 1. Do you bind the webapi config in the owin startup class? 2.Can you access the api without [Authorize]Marcus Höglund
1) Yes I bind the webapi config in the owin startup class as shown in code posted in the other question. 2) Yes when I remove the [Authorize] attribute its accessible.tariq
@MarcusH I made an update to the question based on the attempts I made since then. I have overridden MatchEndpoint method of OAuthAuthorizationServerProvider class. This method is called on every request to see if the request is on token endpoint or authorize endpoint. To my surprise IsTokenEndpoint comes true when i hit for token but IsAuthorizeEndpoint is never true for other requests which I guess it should be. Means its not detecting the call as being on authorize endpointtariq

1 Answers

0
votes

this is difficult to answer without seeing what you've done. I am wondering if you have wired things up correctly. Startup class is where you define your Provider and Token format and then you set your application to use those settings. Here is an example:

public class Startup

    {    
        public void Configuration(IAppBuilder app)    
        {    
            var config = new HttpConfiguration();    
            config.MapHttpAttributeRoutes();    
            ConfigureOAuth(app);    
            app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);    
            app.UseWebApi(config);    
        }        

        public void ConfigureOAuth(IAppBuilder app)    
        {    
            int accessTokenExpiresInSeconds = ConfigurationHelper.GetAppSetting("AccessTokenExpirationInSeconds").ToInt();            
            var oAuthServerOptions = new OAuthAuthorizationServerOptions

            {    
                AllowInsecureHttp = true,

                TokenEndpointPath = new PathString(ConfigurationHelper.GetAppSetting("TokenEndPoint")),

                AccessTokenExpireTimeSpan = TimeSpan.FromSeconds(accessTokenExpiresInSeconds),

                Provider = new CustomOAuthProvider(),

                AccessTokenFormat = new CustomJwtFormat(ConfigurationHelper.GetAppSetting("TokenIssuer"))    
            };        

            app.UseOAuthAuthorizationServer(oAuthServerOptions);    
        }    
    }

If that's not the issue then you can use my own article on OAuth2 and JWT, I've got a full example on how to set everything up and the code is on GitHub. Hopefully it will guide you in the right direction:

https://eidand.com/2015/03/28/authorization-system-with-owin-web-api-json-web-tokens/