3

I am trying to figure out how I could put the clientID (or any additional data I might need) inside a bearer/access token.

I am using OWIN OAuth to create the tokens. I can add claims to the identity ticket that will then be ecnrypted/serialized into the token and passed back to the client.

the client then calls a protected API and the API de-serializes the token and sets up an IPrinciple for the user. This identity object contains the username, and the scopes in the ClaimsIdentity.

I would like to get additional information, such as the clientID that made the request to get the token in the first place.

I can put this data inside a claim; this clearly works but its a hack.

I've done quite a bit of searching and I am not sure how, if possible, to store additional data inside the bearer/access token.

Thanks in advance!

bugnuker
  • 3,918
  • 7
  • 24
  • 31

2 Answers2

5

You can store it in AuthenticationProperties object as the code below:

            var props = new AuthenticationProperties(new Dictionary<string, string>
            {
                { 
                    "as:client_id", (context.ClientId == null) ? string.Empty : context.ClientId
                },
                { 
                    "userName", context.UserName
                }
            });

        var ticket = new AuthenticationTicket(identity, props);

and to read it you need to unprotect the token as the code below then read the properties from the ticket. Id din't find direct way to create the token without passing the token, I know it is not the ultimate answer but it might help.

 string token = "TOKEN GOES HERE";
 Microsoft.Owin.Security.AuthenticationTicket ticket = Startup.OAuthBearerOptions.AccessTokenFormat.Unprotect(token);
Taiseer Joudeh
  • 8,953
  • 1
  • 41
  • 45
  • This works great on the auth server. But what about for the protected resource? For example, the Web API that takes these tokens. Using this: app.UseOAuthBearerAuthentication(new Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationOptions()); – bugnuker Nov 13 '14 at 15:12
  • It will work too, I.m doing this already in Resource server not on Authorization server, please check it [here](https://github.com/tjoudeh/AngularJSAuthentication/blob/master/AngularJSAuthentication.ResourceServer/Controllers/ProtectedController.cs) – Taiseer Joudeh Nov 13 '14 at 22:33
  • Where is the token value coming form in this context? – bugnuker Nov 15 '14 at 18:19
  • 1
    @TaiseerJoudeh Thank you for your answer and great blog. I'm confused here what should be put into AuthenticationProperties and what should be put into claim identity? – ChengWhyNot Jan 15 '15 at 09:49
  • @ChengWhyNot in the claims identity you put the information that you want it to get encoded within the token it self, in the AuthenticationProperties you can do this too but if you override the method TokenEndpoint then all properties will return in response. You should store claims in the claims identity always, more standard way to do this. – Taiseer Joudeh Jan 17 '15 at 22:52
0

If you want to use AuthenticationProperties you must override TokenEndpoint, without that properties will not be returned

public override Task TokenEndpoint(OAuthTokenEndpointContext context)
    {
      foreach (KeyValuePair<string, string> property in context.Properties.Dictionary)
      {
        context.AdditionalResponseParameters.Add(property.Key, property.Value);
      }

      return Task.FromResult<object>(null);
    }
Cobra
  • 1