implementing own oauth2 server and api server

Question

we are trying to implement oauth 2 server and api server (both are different server). (using nodejs for all)

we are using https://github.com/FrankHassanabad/Oauth2orizeRecipes Authorization Code flow

do we need to write new validateToken function in oauth server and just hit it from api side to authenticate that user only.

we are thinking of keeping users and roles at oauth side but we need to check them at the api side before giving api call response.

we are trying to use it for authentication purpose as well for cms and mobile app. are we on right track or missing anything.

score 0 · Answer 1 · answered Jan 21 '16 at 10:20

0

i looked into more details i got the tokeninfo implementation inside Oauth2orizeRecipes.

https://github.com/FrankHassanabad/Oauth2orizeRecipes/wiki/Token-Info-Endpoint

still couple of points not clear with me, will update answer again.

answered Jan 21 '16 at 10:20

jit

1,616
3
21
49

score 0 · Answer 2 · answered Apr 14 '16 at 13:30

(I faced similar situation in .Net, so in context of that)

No, if you are using oauth you don't have to write new validate token method. As OAuthBearerAuthenticationProvider do this behind the scenes

app.UseJwtBearerAuthentication(
            new JwtBearerAuthenticationOptions
            {
                AuthenticationMode = AuthenticationMode.Active,
                AllowedAudiences = new[] { audience },
                IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
                {
                    new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret)
                },
                Provider = new OAuthBearerAuthenticationProvider
                    {
                        OnValidateIdentity = context =>
                        {
                            context.Ticket.Identity.AddClaim(new System.Security.Claims.Claim("newCustomClaim", "newValue"));
                            return Task.FromResult<object>(null);
                        }
                    }

            });

(as per my experience). But if you want to, there is option to configure Provider in your "startup" file:

app.UseJwtBearerAuthentication(
            new JwtBearerAuthenticationOptions
            {
                AuthenticationMode = AuthenticationMode.Active,
                AllowedAudiences = new[] { audience },
                IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
                {
                    new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret)
                },
                Provider = new CustomOAuthBearerProvider()                        

            });

"CustomOAuthBearerProvider" inherits "IOAuthBearerAuthenticationProvider" interface which has predefined signature for RequestToken() method, and this method is called before any validation for token. So i think you can use it for your custom validation operations on Token and then send the token for OAuth validation.

implementing own oauth2 server and api server

2 Answers2