The asp.net-web-api-oauth-2.0-token-based-authentication from goldenqubicle

ASP.NET WEB API OAuth 2.0 Token Based Authentication

What is token:

Access token is piece of data which is created by server, and used to identify the certain user of given application, and it is used to access particular resource on the server.

Bearer Token Type:

The access token type provides the client with the information required to successfully utilize the access token to make a protected resource request (along with type-specific attributes). The client MUST NOT use an access token if it does not understand the token type. In this example we are using token of type "Bearer" A certain type of token, with the property that anyone can use the token, and it is commonly used. Bearer can be simply understood as "give access to the Bearer of this token." It is recommended to use Bearer token over https, with short expiration time.

Why token based authentication instead of cookie based:

Cookies:

Sent with every request
Usually supported in browsers
Difficult to use cross domain
Prone to CSRF

Token:

Can be used by hetrogneous clients (browsers, native mobile app etc.)
Work cross domain
Scalable (no overhead in using web farm when new server is added)
Offer more control
Loosly Coupled

Demo Application (Server Side/Back End):

Open VS 2017
File -> Project -> Web -> ASP.NET Web Application

Authorization Server Configuration:

App_Start-> startup.cs partial class has the configration code as following:

PublicClientId = "self";
OAuthOptions = new OAuthAuthorizationServerOptions
{
    TokenEndpointPath = new PathString("/Token"),
    Provider = new ApplicationOAuthProvider(PublicClientId),
    AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
    AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
    // Note: Remove the following line before you deploy to production:
    AllowInsecureHttp = true
}

// Enable the application to use bearer tokens to authenticate users
app.UseOAuthBearerTokens(OAuthOptions);

The TokenEndpointPath property is the URL path to the authorization server endpoint. That's the URL that app uses to get the bearer tokens.

The Provider property specifies a provider that plugs into the OWIN middleware, and processes events raised by the middleware.

Here is the basic flow when the app wants to get a token:

To get an access token, the app sends a request to ~/Token.
The OAuth middleware calls GrantResourceOwnerCredentials on the provider.
The provider calls the ApplicationUserManager to validate the credentials and create a claims identity.
If that succeeds, the provider creates an authentication ticket, which is used to generate the token.

The OAuth middleware doesn't know anything about the user accounts. The provider communicates between the middleware and ASP.NET Identity. For more information about implementing the authorization server.

Configuring Web API to use Bearer Tokens:

In the WebApiConfig.Register method, the following code sets up authentication for the Web API pipeline:

config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));

The HostAuthenticationFilter class enables authentication using bearer tokens. The SuppressDefaultHostAuthentication method tells Web API to ignore any authentication that happens before the request reaches the Web API pipeline, either by IIS or by OWIN middleware. That way, we can restrict Web API to authenticate only using bearer tokens.

When the client requests a protected resource, here is what happens in the Web API pipeline:

The HostAuthentication filter calls the OAuth middleware to validate the token.
The middleware converts the token into a claims identity.
At this point, the request is authenticated but not authorized.
The authorization filter examines the claims identity. If the claims authorize the user for that resource, the request is authorized. By default, the [Authorize] attribute will authorize any request that is authenticated. However, you can authorize by role or by other claims. For more information, see Authentication and Authorization in Web API.
If the previous steps are successful, the controller returns the protected resource. Otherwise, the client receives a 401 (Unauthorized) error.