OAuth user authentication combined with server authentication and access layers

3
votes

I am working on one of my first OAuth solutions, using a pre-installed Visual Studio solution.

My authentication works fine, and when a client calls /token, they get a bearer token and all is fine. This token is a "user level" token, which you can see on every request to the server. This means I can add [Authorize] on those endpoints only the user should access.

However, at the same time, I also want my server applications to have "full access rights". They need to be able to get lists accross multiple users, delete things and so forth.

Here comes my questions, which I assume can be answered together very easily:

  1. How do you manage both short lived tokens (bearer tokens?) together with permanent tokens (API tokens?)
  2. How do I differ on access levels, so some methods require the permanent token?
  3. How do I differ on access levels in the same method (ie. typical GET methods, where a user only should get "his items" while an admin token can get "all")

Probably super simple - and most likely I just don't know what keywords to search on Google!

1
c#asp.netauthenticationasp.net-web-apioauth

1 Answers

1
votes

It might be seen simple but it involves a lot of concepts in it , will justify some of them from your Questions:

1.How do you manage both short lived tokens (bearer tokens?) together with permanent tokens (API tokens?)

Generally A web-api project can be used as a bearer token as a authentication mechanism but it doesn't support advanced authorization scenarios like what you are asking , so in order to fit to those need then you need to use the Customization of Identity model and implementation of the authorization based on the role

2.How do I differ on access levels, so some methods require the permanent token?

You need to create a Rolemanager class and you need to add that to the Owin Context and now in the Authorize you can modify the attribute to behold the roles as follows [Authorize(Roles="Admin")]

3.How do I differ on access levels, so some methods require the permanent token?

You need to create a custom logic based on the Role so that whether that user is Admin or not and based on that you can create the permanent token for the people who are having admin access. i hope my second point explanation answers to this question as well

4.How do I differ on access levels in the same method (ie. typical GET methods, where a user only should get "his items" while an admin token can get "all")

based on roles you can get the list of all the Users or a Single users here is a Pseudo code for your understanding

    if (userManager.IsInRole(user.Id, "Admin")) {

     // this roles is authorized to get the All records

    }
else{

  // Send a single record ...
 }