This project has moved. For the latest updates, please go here.

UserId and Authorization Code Grant

Dec 9, 2013 at 7:54 PM
Hi,

I've played around with the OAuthAuthorizationServerMiddleware and tried to implement an Auth-Server for a Authorization-Code-Grant-Scenaro. That works quite well, but I noticed the following:

If you don't fetch the clientId with TryGetFormCredentials then you have to do BOTH:
  • Include the user_id as post-parameter AND
  • Pass the same user_id to context.Validated
Now, I'm wondering whether this is by design, cause I think one of thouse two steps sould be enogth.

Wishes,
Manfred
Jan 6, 2014 at 12:20 AM
... let me put it in another way: You have to pass the user_id to context.Validated if you don't fetch it with TryGetFormCredentials or with TryGetBasicCredentials. For me, it is not logical, that calling a method named TryGet... leads to the the fact, that I have not to pass the fetched parameter to Validated ...

What do you think?

Wishes,
Manfred
Coordinator
Jan 9, 2014 at 9:44 PM
The OAuthValidateClientAuthenticationContext methods Validated, TryGetBasicCredentials, and TryGetFormCredentials all set the ClientId property that's used through the rest of the flow.

Are you saying that TryGetBasicCredentials and TryGetFormCredentials should not set ClientId? That you should always be required to set ClientId via Validated?

The samples where I see this used look like:
            string clientId;
            string clientSecret;
            if (context.TryGetBasicCredentials(out clientId, out clientSecret) ||
                context.TryGetFormCredentials(out clientId, out clientSecret))
            {
                if (clientId == "123456" && clientSecret == "abcdef")
                {
                    context.Validated();
                }
                else if (context.ClientId == "7890ab" && clientSecret == "7890ab")
                {
                    context.Validated();
                }
            }
I don't think the ClientId property gets used unless you validate the context, so it doesn't really matter if TryGetFormCredentials sets it or not. You could always call Validated(id) to specify it.
Jan 10, 2014 at 9:27 AM
Hi Tratcher,

thx for this reply. At the first time, this confused me, cause I didn't think about that the possiblity, that this TryGet-Method could have side-effects. But now, as I know it, it doen't matter that much ...

Wishes,
Manfred