Dec 9, 2016 at 9:12 PM
Edited Dec 9, 2016 at 9:15 PM
I'm double checking my implementation of Oauth on an api and was hoping for some clarifications.
My controllers have the [Authorize] Decorator.
The StartUp Class has the following delegate?? assigned to OAuthAuthorizationServerProvider.
var oauthProvider = new OAuthAuthorizationServerProvider
OnGrantResourceOwnerCredentials = async context =>
//lots of code to determine if isValid
var claimsIdentity = new ClaimsIdentity(context.Options.AuthenticationType);
claimsIdentity.AddClaim(new Claim("user", userName));
OnValidateClientAuthentication = async context =>
if (context.TryGetBasicCredentials(out clientId, out clientSecret))
if (clientId == "xyz" && clientSecret == "secretKey123")
I know OAuth returns a token which is used to access subsequent controllers. I have the authentication code as shown above. Where is the code that validates token (I hope it's more than just the above)? I've been digging on github and can't find it...
I'm trying to understand what would happen with OAUTH if the identity provider and service provider aren't on the same machine. How could the service provider verify the token issued by the identity provider?