4

From the SPA template i managed to get basic OAuth flows working.

    OAuthOptions = new OAuthAuthorizationServerOptions
    {
        AllowInsecureHttp = true, 
        ApplicationCanDisplayErrors = true,
        TokenEndpointPath = new Microsoft.Owin.PathString("/Token"),
        AuthorizeEndpointPath = new Microsoft.Owin.PathString("/api/Account/ExternalLogin"),
        Provider = new CompositeWebroleOauthProvider<User>(PublicClientId, IdentityManagerFactory, CookieOptions)
    };

I have a single page application that is hosted on a seperate domain that will interact with the webapi using the bearer tokens from the Token endpoint.

I am doing the ResourceOwnerCredentials flow, with a request with the following data:

 data: {
        grant_type: "password",
        username: username,
        password: password
       }

These tokens are short lived ect. I now would like to extend my application such I can get a refress token or something such I do not have to authenticate all the time. What is my next steps?

The GrantResourceOwnerCredentials implementation:

public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
    using (var identityManager = _identityManagerFactory.Create())
    {
        var user = await identityManager.FindAsync(context.UserName, context.Password);

        if (user == null)
        {
            context.SetError("invalid_grant", "The user name or password is incorrect.");
            return;
        }               

        ClaimsIdentity oAuthIdentity = await identityManager.CreateIdentityAsync(user, context.Options.AuthenticationType);
        AuthenticationProperties properties = CreatePropertiesAsync(user);
        AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties);
        context.Validated(ticket);

    }
}
LeftyX
  • 35,328
  • 21
  • 132
  • 193
Poul K. Sørensen
  • 16,950
  • 21
  • 126
  • 283
  • On the line AuthenticationProperties properties = CreatePropertiesAsync(user); what does your CreatePropertiesAsync method look like? – Cameron Woodall Oct 08 '14 at 12:53
  • Its some time ago, not sure where the code got parked. But my work was around the stuff that got published here: http://blogs.msdn.com/b/webdev/archive/2013/09/20/understanding-security-features-in-spa-template.aspx which also uses it. – Poul K. Sørensen Oct 08 '14 at 14:10

1 Answers1

0

I just had to set the provider for it to generate refresh tokens.

Any comments for pointers on when to set refresh tokens and not would be nice. 

 RefreshTokenProvider = new AuthenticationTokenProvider
 {
     OnCreate = CreateRefreshToken,
     OnReceive = ReceiveRefreshToken,
 }


    private void CreateRefreshToken(AuthenticationTokenCreateContext context)
    {
        context.SetToken(context.SerializeTicket());
    }

    private void ReceiveRefreshToken(AuthenticationTokenReceiveContext context)
    {
        context.DeserializeTicket(context.Token);
    }
Poul K. Sørensen
  • 16,950
  • 21
  • 126
  • 283
  • Basically RefreshToken helps the application get a new AccessToken even after curent AccessToken is expired. While getting the new AccessToken, the RefreshToken can be presented and need not required username-password. RefreshToken lifetime can be managed by Token Provider and user should be provided with option to grant lifetime of RefreshToken. – jd4u Oct 17 '13 at 07:32
  • That makes sense, thanks. Just need to figure out how to do that in Katana AuthorizationServer (Owin). Seems the refresh tokens get same lifetime as the access tokens. – Poul K. Sørensen Oct 17 '13 at 07:56
  • Yes, refresh token is created from the same ticket as the accessToken ticket. We can change it via ServerOptions provided at startup as you have noted above. – jd4u Oct 17 '13 at 08:45
  • But that means we change both refresh and access token. Would I not want something like the access token having 20 min and refresh token until revoked? – Poul K. Sørensen Oct 17 '13 at 11:28
  • 1
    For accessToken, you can pass AccessTokenExpireTimeSpan. Yes, you can keep the refreshtoken with longer timespan. – jd4u Oct 17 '13 at 11:53
  • Thank you for your answers here and in the other question with the same. http://stackoverflow.com/questions/19409085/lifetime-of-refresh-tokens-with-katana-oauthauthorizationserver/19421929?noredirect=1#comment28798768_19421929 – Poul K. Sørensen Oct 17 '13 at 12:26