28

I am trying to understand the Asp.net Web Api Individual Accounts authentication and authorization. I have see several tutorials on the web including this one. In short, when a user agent provides username and password the API issues a token that the client will use in subsequent calls to the API for to identify itself. The user agent receives the token by making a request, typically to: http://example.com/Token. The path appears to be set in the Startup class like so:

TokenEndpointPath = new PathString("/Token")

My problem is, I can't find any controller methods that match that path. How does this work?

Joe
  • 619
  • 1
  • 8
  • 16

1 Answers1

36

When you create a new Project with Individual Authentication in ASP.NET, the solution is created with an OAuth Provider to handle Authentication Request.

If you look at you solution, you should see a Providers Folder with a class ApplicationOAuthProvider.

This class implement all the logic for authenticate your members in you website. The configuration is set at Startup to allow you to customize the url endpoint through the OAuthOption.

OAuthOptions = new OAuthAuthorizationServerOptions
{
    TokenEndpointPath = new PathString("/Token"),
    Provider = new ApplicationOAuthProvider(PublicClientId),
    AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
    AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
    AllowInsecureHttp = true
};

The TokenEndPoint Path properties defined the url which will fired the GrantResourceOwnerCredentials method of the GrandResourceOwnerCredentials.

If you use fiddler to authenticate and use this kind of body

 grant_type=password&username=testUserName&password=TestPassword

you should pass in the following method : 

public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
    {
        var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();

        ApplicationUser user = await userManager.FindAsync(context.UserName, context.Password);

        if (user == null)
        {
            context.SetError("invalid_grant", "The user name or password is incorrect.");
            return;
        }

        ClaimsIdentity oAuthIdentity = await user.GenerateUserIdentityAsync(userManager,
           OAuthDefaults.AuthenticationType);
        ClaimsIdentity cookiesIdentity = await user.GenerateUserIdentityAsync(userManager,
            CookieAuthenticationDefaults.AuthenticationType);

        AuthenticationProperties properties = CreateProperties(user.UserName);
        AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties);
        context.Validated(ticket);
        context.Request.Context.Authentication.SignIn(cookiesIdentity);
    }

where context.UserName and context.Password are set with the data used in the request. After the identity is confirmed (here using Entity Framework and a couple userName, Password in a database), a Bearer token is sent to the caller. This Bearer token could then be used to be authenticated for the other calls.

Regards.

Jeremie Devillard
  • 726
  • 8
  • 12
  • @Jeremie, thanks for clearing that up. Really great explanation and this was my exact problem. Can anyone please tell me if using this default oauth bearer token is the best and most secure way of implementing security in your API? I am busy developing an API that will be exposed to the internet and consumed by a angularjs mobile app which I am also currently working on. Any other alternatives? Much appreciated. – fransHbrink Jan 08 '15 at 09:46
  • @Jeremie, Is it possible to have multiple endpoint urls that all point to the same IAppBuilder application. If not how can we have multiple toke endpoints in one web api application ? – Jami Jan 22 '16 at 04:22