Sample for OAuthAuthorizationServerMiddleware

Jul 21, 2013 at 6:28 PM
Edited Jul 22, 2013 at 1:29 PM
Hi,

Is there a sample for OAuthAuthorizationServerMiddleware to shows how to set up an OAuth authorization server?
Coordinator
Jul 21, 2013 at 6:31 PM
Jul 21, 2013 at 6:46 PM
just after I asked this, I made a search against UseOAuthAuthorizationServer inside the katana solution and guess what I found :)

thanks, playing with it now.
Jul 22, 2013 at 1:05 PM
Edited Jul 22, 2013 at 1:28 PM
Hi Chris,

Had a look at the sample and based on that, I got mime up and running: https://github.com/tugberkugurlu/OwinSamples/tree/master/OwinOAuthSample

I have couple of questions if you don't mind:
  • OnLookupClient is probably the place where we need to go to our data store and check for the client existence, right? In there, you guys hardcoded the redirect url on the sample. What should be the value that we need to put there? Something that we need to get from the user on the registration phase?
  • OnGrantResourceOwnerCredentials is probably the place where we construct the ClaimsPrincipal. context.Scope property gives us the requested scopes but should we validate those scopes against our registered user's scopes? or should we do that somewhere else, like OnValidateTokenRequest?
  • I also used OAuthBearerAuthentication middleware and this authenticates my request automatically when the access token is sent properly. I am assuming that the server knew how to deserialize the access token. how does this work? how did it know how to deserialize the ticket? what happens when I move my application to a web farm? is it going to be effected there? I mean if one server serializes the ticket, can other server deserialize it? if so, doesn't that mean everybody can craft a ticket and trick the OAuthBearerAuthentication middleware? I had a look but its code's a bit hard to understand for me quickly.
  • If I grant access for an application and that application can authenticate through the access token I gave. How can I revoke this token? I understand that this's more of an implementation detail for the application but which places should we override to implement this?
Thanks in advance!