This project has moved. For the latest updates, please go here.

OWIN / Oauth

Dec 9, 2016 at 9:12 PM
Edited Dec 9, 2016 at 9:15 PM

I'm double checking my implementation of Oauth on an api and was hoping for some clarifications.

My controllers have the [Authorize] Decorator.

The StartUp Class has the following delegate?? assigned to OAuthAuthorizationServerProvider.

       var oauthProvider = new OAuthAuthorizationServerProvider
            OnGrantResourceOwnerCredentials = async context =>
               //lots of code to determine if isValid
                    var claimsIdentity = new ClaimsIdentity(context.Options.AuthenticationType);
                    claimsIdentity.AddClaim(new Claim("user", userName));
                else {
                    await Task.Delay(5000);
            OnValidateClientAuthentication = async context =>
                string clientId;
                string clientSecret;
                if (context.TryGetBasicCredentials(out clientId, out clientSecret))
                    if (clientId == "xyz" && clientSecret == "secretKey123")
        app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());

I know OAuth returns a token which is used to access subsequent controllers. I have the authentication code as shown above. Where is the code that validates token (I hope it's more than just the above)? I've been digging on github and can't find it...

I'm trying to understand what would happen with OAUTH if the identity provider and service provider aren't on the same machine. How could the service provider verify the token issued by the identity provider?

Jeff Brubaker