OWIN.SECURITY.oAuth supported IDP's

Dec 23, 2013 at 12:57 PM
I want to build an application that is independent of Identity provider like ADFS, OPenAM, Oraclel identity etc. THis application should work for any IDP. The end purpose is to Build a SSO application to validate and authorize the user from any IDP. The protocol should be oAuth.

How can I achieve this using OWIN possible or not and how?

Please help me to move in the right direction

Many Thanks
Dec 30, 2013 at 4:12 PM
I don't think it's possible to accept every 3rd party login without configuring them individually. Many require you to register your application with them (e.g. Google, Twitter, Facebook, etc.). They also use different data formats.
Dec 30, 2013 at 5:39 PM
Edited Dec 30, 2013 at 5:41 PM
As of now, OWIN comes with a rather limited set of OAuth/OAuth2/OpenID authentication providers.

I don't know whether I'm allowed to give this link here as it refers to a commercial product, but Auth0 (co-founded by Eugenio Pace, well known in the WIF world) offers an OWIN middleware which allows you to configure every provider they support (Amazon, Facebook, GitHub, LinkedIn, LiveId Google, Twitter, Paypal, vKontakte and enterprise provides like SAML providers, ADFS, Google Apps, Windows Azure AD, etc.) :


Good luck ;)
Dec 31, 2013 at 7:08 AM
My prime objective is to use oAuth2.0 because oAuth will be the future. My prime objective is not to support Social web sites but only IDP's like ADFS 2012 R2, oracle, OPenAM for internal company based SSO and for partner companies. I understand we need to make changes for each one but does using Microsoft.Owin.Security.OAuth is enough to handle all these?
Dec 31, 2013 at 12:12 PM
If you're just looking for an OAuth2 client able to support any OAuth2 authorization server with no specific extra code, you'll probably be interested in a proposal of a generic OAuth2 client I've submitted recently: https://katanaproject.codeplex.com/discussions/471315

Please note that it's still under review and only aims at supporting OAuth2. Thus, you'll need to check which version of ADFS you use, as it only supports OAuth2 since its third version (coming with Windows Server 2012 R2).
Dec 31, 2013 at 1:25 PM

I have already setup ADFS 2012 R2 because it support oAuth2.0

I have following quires:
Most of my clients are desktop and few of them are web based should I use the architecture that is mentioned in the following URL. I.ee. MVC Web API and windows client?


You have any sample application if yes please share because the URL u mentioned for oAuth source code, I have not knowledge how to use it and which classes I should use?
Dec 31, 2013 at 2:16 PM
Edited Dec 31, 2013 at 2:20 PM
Have you set up your OAuth2 authorization server yet?

To use the new OAuthAuthenticationClientMiddleware to support delegated authentication in your authorization server, you'll have to download the mentioned fork, build it yourself, replace your Nuget references with the new DLLs and plug it into the OWIN pipeline in your startup class:
app.UseCookieAuthentication(new CookieAuthenticationOptions {
    AuthenticationMode = AuthenticationMode.Active,


app.UseOAuthAuthenticationClient(new OAuthAuthenticationClientOptions("ADFS") {
    AuthorizeEndpoint = "[YOUR-AUTHORIZE-ENDPOINT-URL]",
    TokenEndpoint = "[YOUR-TOKEN-ENDPOINT-URL]",
    CallbackPath = new PathString("/signin-adfs"),
    ClientId = "[YOUR-APP/CLIENT-ID]",
    ClientSecret = "[YOUR-APP/CLIENT-SECRET]"
Although the link you mentioned seems to be a good starting point, I'd suggest having a look at this great sample (and especially its Scenario 1 file) if you plan to target Windows Store apps: http://code.msdn.microsoft.com/windowsapps/Web-Authentication-d0485122
Jan 1, 2014 at 5:15 AM
Edited Jan 1, 2014 at 5:23 AM
Yes ADFS 2012 R2 is setup and relying party is configured to use oAuth 2.0 and I think ADFS itself is an authorization server. Am I right?

I have no plan to target the windows store apps. All my clients are mixture of oAuth

Do I need to follow the architecture where I have to inject the above code in a MVC Web API? Or in any client that is not web based?

This API support 3-legged oAuth flow? What if I also need 2-legged oAuth flow where I have already authenticated the user and now I want to use the same user in other application but I don't want that login box appear again?

Another point that I messed up after reading oAuth RFC 6749,6750.

What is resource owner, resource server, client, Authorization server etc. please can u give me an example to explain what is all that bits :(
Jan 1, 2014 at 11:22 AM
Please, try to post a little drawing of what you're trying to achieve, it will help use to understand what you want exactly ;)
Jan 1, 2014 at 2:32 PM
In simple My only requirements are to implement SSO in my application:
  1. Use ADFS 2012 R2 for SSO.
  2. User will get token using oAUth 2.0 VIA ADFS Server using login prompt for credential or what ever authentication scheme is configured on ADFS form based or windows based.
  3. If same user that is authenticated using oAuth for one application if second application want to use the same user then the login box that ADFS presented using oAUth2.0 should not appear.
Now, please help me how OWIN.SECURITY.OAuth or any other oAuth will help me and what is the best way to us that API's in desktop and web clients

regards, IK
Jan 1, 2014 at 3:30 PM
To use ADFS as your "main" authorization server and set up your OWIN-enabled APIs and your OAuth2 clients to use it, please take a look at this great blog post from Vittorio Bertocci: http://www.cloudidentity.com/blog/2013/10/25/securing-a-web-api-with-adfs-on-ws2012-r2-got-even-easier/

That said, what you describe now seems to differ from what you were initially planning... don't want to support OpenAM or Oracle anymore?
You should really make a little drawing... because this "little detail" may change everything :)
Jan 2, 2014 at 4:47 AM

The supporting of Open-AM and Oracle identity will come latter because that will be used by the partner company our company clients will be validated either by our company ADFS or partner company based on the configuration. Now to avoid the complexity I just want to first planned to used only company based SSO (ADFS), with the passage of time things will be evolved and also I will have grip on the one of the IDP then things will becomes easier to design the overall architecture.

I will post the diagram later, still things are littler cloudy.

The link u have mentioned only support point 1 and 2. For third point when I open second instance of client and click the button it asked me the user name and password dialog, I want this dialog should not appear because I have access token for the same user when I open it first time. This flow might be 2-legged oAuth 2.0 Resource owner credential flow, how can I achieve this?