This project has moved. For the latest updates, please go here.

OWIN / Oauth

Dec 9, 2016 at 10:12 PM
Edited Dec 9, 2016 at 10:15 PM
Hi,

I'm double checking my implementation of Oauth on an api and was hoping for some clarifications.

My controllers have the [Authorize] Decorator.

The StartUp Class has the following delegate?? assigned to OAuthAuthorizationServerProvider.

'
       var oauthProvider = new OAuthAuthorizationServerProvider
        {
            OnGrantResourceOwnerCredentials = async context =>
            {
               //lots of code to determine if isValid
               if(isValid)
                {
                    var claimsIdentity = new ClaimsIdentity(context.Options.AuthenticationType);
                    claimsIdentity.AddClaim(new Claim("user", userName));
                    context.Validated(claimsIdentity);
                    return;
                }
                else {
                    await Task.Delay(5000);
                    context.Rejected();
                }
            },
            OnValidateClientAuthentication = async context =>
            {
                string clientId;
                string clientSecret;
                if (context.TryGetBasicCredentials(out clientId, out clientSecret))
                {
                    if (clientId == "xyz" && clientSecret == "secretKey123")
                    {
                        context.Validated();
                    }
                }
            }
     }
'
....
        app.UseOAuthAuthorizationServer(oauthOptions);
        app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());

I know OAuth returns a token which is used to access subsequent controllers. I have the authentication code as shown above. Where is the code that validates token (I hope it's more than just the above)? I've been digging on github and can't find it...

I'm trying to understand what would happen with OAUTH if the identity provider and service provider aren't on the same machine. How could the service provider verify the token issued by the identity provider?

Thanks,
Jeff Brubaker