2

I am working on implementing token based security for the asp.net web form website and webapi.

The website should work with session token with claims based identity. The website should do ajax request to the web api.

This is what I have implemented so far:

  1. Use thinktecture v2 STS as token provider for oauth2 resource owner access token

  2. Website request a token

    var client = new OAuth2Client(
                new Uri("https://xxxx/issue/oauth2/token"),
                "clientid",
                "secret");

var response = client.RequestAccessTokenUserName(
        "xxxx",
        "yyyy",
        "urn:webapisecurity");

return response.AccessToken;

Question: How to now make website use session token and extract claims from the above token received.

Patrick Hofman
  • 153,850
  • 22
  • 249
  • 325
user1213831
  • 309
  • 7
  • 22

1 Answers1

2

If you are able to upgrade, presuming you are not already on it, to ASP.net 4.5.1 or greater ASP.net is now shipping with OAuth support out the box.

Although I don't like doing this, just encase the link breaks for future reader, the following article is a good tutorial on how Oauth2 works with Asp.net. Unfortunately it is too long to post here.

http://www.asp.net/web-api/overview/security/external-authentication-services

BMac
  • 2,183
  • 3
  • 22
  • 30
  • No, it's not _fully_ out of the box. In the web link you mentioned, the new project creation of SPA project will add additional nuget packages (outside the original distribution of .NET Framework class libraries). And the legacy ASP.NET WebForms will never look the same, because of additional routes and controllers that will change common flow of legacy ASP.NET WebForms. – Eriawan Kusumawardhono Dec 06 '18 at 08:21