4

How can I reject An identity? My class inherits from OAuthBearerAuthenticationProvider and I have an override of ValidateIdentity?

I have tried setting context.Rejected(); or context.SetError(); and throwing an exception but my controllers still get called. OAuthBearerAuthenticationHandler does call my class so I know I have the setup correct.

my current failing code

        public void ConfigureAuth ( IAppBuilder app )
        {
            // Enable the application to use a cookie to store information for the signed in user
            // and to use a cookie to temporarily store information about a user logging in with a third party login provider
            app.UseCookieAuthentication(new CookieAuthenticationOptions());
            app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

            // Enable the application to use bearer tokens to authenticate users
            app.UseOAuthBearerAuthentication ( new OAuthBearerAuthenticationOptions ()
            {
                Provider = new OAuthBearerAuthenticationProvider ()
                {
                    OnValidateIdentity = async ctx => { ctx.Rejected (); }
                }
            } );
            app.UseOAuthBearerTokens(OAuthOptions);
}
abatishchev
  • 98,240
  • 88
  • 296
  • 433
Aaron Fischer
  • 20,853
  • 18
  • 75
  • 116
  • does your Action Method has Authorize attribute? Remember Authorization Middleware provides a service to assign ClaimsIdentity. – jd4u Oct 24 '13 at 13:06
  • yes and I can step through the authorize filter it's the OAuthBearerAuthenticationHandler does not seem to work. Or it's caller is ignoring the fact it returns null. – Aaron Fischer Oct 24 '13 at 14:34
  • Do you reach till the Controller Method where AuthorizeAttribute is assigned? If the return value is null, the ClaimsIdentity is not assigned to current User. So its like Anonymous. – jd4u Oct 24 '13 at 14:41
  • It makes it through the authorization filter and the claims identity is assigned to principle. The control flow is hard to follow in the debugger since it's async code. but I think OAuthBearerAuthenticationHandler is passing context by reference, which does not work on an awit handler? – Aaron Fischer Oct 24 '13 at 15:04

1 Answers1

3

I couldn't repro the issue. Could you check your implementation of OnValidateIdentity is the same?

        OAuthBearerOptions = new OAuthBearerAuthenticationOptions()
        {
            Provider = new OAuthBearerAuthenticationProvider
            {
                OnValidateIdentity = async ctx =>
                    {
                        ctx.Rejected();
                    }
            }
        };
Hongye Sun
  • 3,868
  • 1
  • 25
  • 18
  • Odd this is just the plain visual studio webapi template using individual id. Yet I use the same code as you and I get values back from the "values" controller. – Aaron Fischer Oct 25 '13 at 12:55
  • 1
    This seems to work if i only use app.UseOAuthBearerAuthentication... but if i also have app.UseOAuthBearerTokens then something else is dealing with the token's validity and overriding my setting? – Aaron Fischer Oct 28 '13 at 19:31
  • UseOAuthBearerTokens will register Bearer authentication middleware and authorization server middleware into the pipeline. If you call both methods, you will register two Bearer auth middlewares. You need to call UseOAuthAuthorizationServer to register authorization server only. – Hongye Sun Oct 28 '13 at 19:49
  • 5
    @HongyeSun: Do you know where this is documented? I've been decompiling Identity to reach these conclusions, but I have other similar questions and this is obviously not the proper way to go about things. I can mostly find code samples but no clear explanation of how Identity OWIN extensions fit with the generic OAuth middleware components. It seems everybody's using the templates without really knowing what's going on (though I hope I've simply missed an obvious document somewhere). – tne Apr 22 '14 at 08:44