self hosted app

Dec 10, 2013 at 1:00 PM

i have a self-hosting console application to generate bearer tokens. This works great, but i cannot use this tokens in a web api to protect any ressources, because the tokens cannot be decryptet. I have read that IIS hostet apps(my web api) using machinekey data protection(machinekey in web.config) and self-hostet apps using dpapi data protection. My question is: It is possibly to use machinekey data protection(machinekey in app.config) instead of dpapi in a self hostet app??
Dec 10, 2013 at 10:51 PM
I'm pretty sure machine key is an IIS/Asp.Net feature that cannot be used outside of IIS.
Dec 13, 2013 at 10:58 AM
Edited Dec 13, 2013 at 12:40 PM
Correct me if I'm wrong, but I think I've understood what you're trying to achieve: I don't know whether you use OAuth2 or not, but you would like to use your tokens to transmit user info from your authorization server to your client. If yes, you may consider these two different approaches :

Approach 1 : create a "user info" endpoint in your Web API that is configured to use OAuthBearerAuthenticationMiddleware and return appropriate claims by extracting them from the ambient security principal (via IAuthenticationManager.AuthenticateAsync/IAuthenticationManager.User in a pure Katana app or via User.Identity + HostAuthentication in a ASP.NET Web API/OWIN scenario... or with AuthenticationMode.Active), exactly like the vast majority of OAuth2-protected apps.
For this, you should take a look at Katana.Sandbox.WebServer and GoogleOAuth2AuthenticationHandler.AuthenticateCoreAsync to see how a ClaimsIdentity is emitted and reconstructed from a user info endpoint call.

Approach 2 : although not supported at this moment, you could tweak JwtFormat to be used as an "access_token" serializer in OAuthAuthorizationServerOptions.AccessTokenFormat, so you don't need to provider an user info endpoint and thus can avoid an extra round-trip. Indeed, JWT access tokens can be easily deserialized in your client app, either by using the JWT library or by using a standard JSON deserializer. But pay attention to control the set of claims you return in your access_token endpoint because they won't be encrypted like in TicketDataFormat. I'm currently advocating to support this approach there :

Good luck.