OAuth2 authorize endpoint request vaules

Dec 14, 2013 at 1:30 AM
Currently within OAuthAuthorizationServerHandler.InvokeAuthorizeEndpointAsync no opportunity is given to find from a different location or adjust the values in tokenEndpointRequest, such as grant type, before they are used. Therefore applications must adhere to the stipulated format. This seems at odds to how the rest of the project is written.

Is there value in providing the option to adjust the values of in tokenEndpointRequest prior to those values being used?
Dec 14, 2013 at 9:44 AM
Edited Dec 14, 2013 at 9:45 AM
I don't really see what you're trying to do, but one thing is sure: there's no tokenEndpointRequest in InvokeAuthorizeEndpointAsync because it is simply too early in the OAuth2 flow to talk about access tokens. Maybe you're talking about authorizeRequest and its response_type limited to code and token?

Tell us a bit more about what you're looking for ;)
Dec 15, 2013 at 8:22 AM
Apologies. I referenced the wrong method! :( I meant OAuthAuthorizationServerHandler.InvokeTokenEndpointAsync.

Consider a request to the token endpoint where instead of following the OAuth guidelines, all the relevant values included are including in the following JSON representation:
  "grant_type": "Password",
  "username": "...",
  "password": "...",
  "client_id": "...",
  "client_secret": "..."
Below is the relevant code from OAuthAuthorizationServerHandler.InvokeTokenEndpointAsync:
private async Task InvokeTokenEndpointAsync()

    IFormCollection form = await Request.ReadFormAsync();

    var clientContext = new OAuthValidateClientAuthenticationContext(

    await Options.Provider.ValidateClientAuthentication(clientContext);


    var tokenEndpointRequest = new TokenEndpointRequest(form);

    var validatingContext = new OAuthValidateTokenRequestContext(Context, Options, tokenEndpointRequest, clientContext);

    AuthenticationTicket ticket = null;
    if (tokenEndpointRequest.IsAuthorizationCodeGrantType)
    else if (tokenEndpointRequest.IsResourceOwnerPasswordCredentialsGrantType)
The line IFormCollection form = await Request.ReadFormAsync(); will fail to create the key value pairs required for the rest of the method as the data is not in the correct format. While you can extract client_id and client_secret within your implementation of the delegate for ValidateClientAuthentication, between the lines IFormCollection form = await Request.ReadFormAsync(); and if (tokenEndpointRequest.IsAuthorizationCodeGrantType) there is no opportunity to influence the value that IsAuthorizationCodeGrantType and IsResourceOwnerPasswordCredentialsGrantType are calculated from.

I found it odd that there are opportunities given to find, or adjust, values from requests in other circumstances, but not in this case.
Dec 18, 2013 at 5:25 PM
Interesting. I suppose you could put in a middleware the converts the request body from the JSON to a form.
Dec 19, 2013 at 6:41 PM
You could do that. But as far as I can remember, the OAuth2 spec explicitly requires that the payload be flown with "application/x-www-form-urlencoded".

You can of course develop your own "OAuth2 flavor" but I don't recommend it, as this is already hard enough to maintain the existing ones... and I don't see what could be the advantage to do that.
Dec 20, 2013 at 1:02 AM
PinpointTownes, indeed the OAuth2 spec requires just that. I found it odd that this wasn't coded as the default behavior, and that a opportunity to insert a shim to process the payload hasn't been provided. In my mind this would be more consistent with the "vibe" of the framework :)

I don't expect anybody here to fix my issue. I will simply have the client changed so isn't working against the server.