OAuthAuthorizationServerMiddleware's access token creation and OAuthBearerAuthenticationMiddleware

Jul 24, 2013 at 10:54 AM
Edited Jul 24, 2013 at 11:02 AM

I created a very simple OAuth authorization server based on the sample that I have found on Katana.Sandbox.WebServer project and I was able to issue an access token using the default AccessTokenProvider for OAuthAuthorizationServerMiddleware. Here is the sample: https://github.com/tugberkugurlu/OwinSamples/tree/82faff6e0994e2d9a7c50ad733b2d5387b764683

On my resource server application, I was able to deserialize the access token and OAuthBearerAuthenticationMiddleware gets the ClaimsPrincipal based on that token (again, I'm using the default AccessTokenProvider here, too).

I have a few questions here:
  • How does this happen? If this token can be created in any server and deserialized into ClaimsPricipal in any other server, I guess the client can craft a fake access token and it'll be valid. Is this true? If this's true, can we say that anyone can read the access token information and it should be kept securely?
  • If the above statement is wrong, how does this work in a web farm scenario?
  • When the client makes a request to the resource server with a bearer token, should the resource server just deserialize the token into a ClaimsPrincipal or should it go to the authorization server with the access token and make an additional check on the validity of the token?
I would appreciate if you guys can guide me through here.