3

I've been following the Thinktecture Identity Server example of OAuth2 Resource Owner Password Flow found at http://leastprivilege.com/2012/11/01/oauth2-in-thinktecture-identityserver-v2-resource-owner-password-flow/

I have the example working and returning JWT tokens successfully via the following process

  1. Use the Thinktecture OAuth2Client to retrieve the access token
  2. Retrieve the signing certificate from the "Trusted People" store on the client machine
  3. Using the certificate and creating a new JwtSecurityTokenHandler and TokenValidationParameters and calling tokenHandler.ValidateToken to get a ClaimsPrincipal

From here I am authorized, but I am uncertain of the best way to persist the token for further requests. I tried using 

var sessionToken = new SessionSecurityToken(principal, TimeSpan.FromHour(8));
FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionToken);

But I do not have a SessionAuthenticationModule registered. I tried using the Identity and Access wizard to get this in place, but it makes many changes to config and tries to set things up for passive authentication.

I could use a traditional FormsAuthentication cookie (.aspnetAuth) but I remember discussion that an advantage of the .FedAuth cookie was that it was naturally split into several cookies if the size grew too big.

I'm struggling to find an article that completes the picture for me. I need the bearer token for accessing various APIs further down the stack. I have working examples of this for SSO/passive authentication, because most of the work is done for you. I'm just not sure of the best pattern for use when using the Resource Owner Password flow.

So

  1. Have I missed a more straightforward way to achieve this with Thinktecture Identity Model and Server?
  2. Should I try to create a FedAuth cookie so that I can reuse the various Messagehandler/filter components that are already setup for WIF?
  3. Otherwise - is there anything particularly wrong with simply putting the access token in the UserData section of the FormsAuthentication cookie?
ROMANIA_engineer
  • 54,432
  • 29
  • 203
  • 199
Paul Devenney
  • 889
  • 6
  • 18

1 Answers1

0

Try to look at this question: WIF Security Token Caching.

I believe this code might do

var sessionSecurityToken = new SessionSecurityToken(principal, TimeSpan.FromHours(Convert.ToInt32(System.Web.Configuration.WebConfigurationManager.AppSettings["SessionSecurityTokenLifeTime"])))
{
    IsPersistent = true, // Make persistent
    IsReferenceMode = true // Cache on server
};
FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionSecurityToken);
Community
  • 1
  • 1
pepo
  • 8,644
  • 2
  • 27
  • 42
  • sadly no, this is the code I currently have commented out. As I mentioned - I currently do not have a session authentication module registed, this code depends on the setup of WIF. I'm not asking about caching the token and replacing it with an identifier. Ideally I do want to use the piece of code above - it makes sense, but I'm not sure of what steps to take that allow me to do this without actually turning on passive authentication – Paul Devenney Mar 14 '14 at 15:27