Last post Apr 02, 2014 02:44 PM by GAllwood
Apr 02, 2014 03:10 AM|GAllwood|LINK
I have written a Web API that uses the a resource owner model and OAuth for authentication, but now I find myself wanting to extend this slightly but not sure how.
Currently, using the standard resource owner model when something asks for a token from my service I simply do a username and password lookup. if all is good then I add a few claims to the identity and issue a token to the caller. The client then stores
the token and uses it in the authrntication header whenever it makes a call to my server.
Now the extension. My authentication is just that, a check of identity. There are is one more piece of information I need when requests are made to the API, this additional data could be something like a Location Id (not geo-location!!). I would rather not
add a locationId parameter to all my WebAPI's. It would be nice if it could be part of the security information that is sent along with the token
Is it possible to modify the oauth token once it has been issued? Or is it indeed, better practice to actually pass this LocationId in to each API call?
The model I was hoping for, was that a user authenticates first, then chooses the location they are going to access. From that point on the API is pretty simple. The alternative is that the logon process includes the location, but I would rather not do that
as I want to restrict the locations available to some users based on their identity.
Hope this make sense.
Apr 02, 2014 09:54 AM|BrockAllen|LINK
In your OAuth2 authorization server you put claims into the token. These claims can be anything you want. This can include this location ID you're talking about.
Apr 02, 2014 12:21 PM|GAllwood|LINK
Thanks for the reply Brock.
Doing this though does imply passing the LocationID along with the username and password, as part of the token request.
What I really want is the authentication to happen first, then to allow the client to set the locationId at some later stage. What would be really nice is to add it to the claim after the token has been issued so that it is always available when an API method
is called via the thread identity.
Apr 02, 2014 12:24 PM|BrockAllen|LINK
Oh I see -- as part of the uid/pwd you want the user to give more data? Resource owner password flow doesn't allow for this. You might consider implicit flow where a browser will be involved and then the user can interact with a web page to provide that
Apr 02, 2014 02:44 PM|GAllwood|LINK
Hmm, implicit flow eh. I'm not familiar with this method, would this basically mean passing the location id in to the methods that need them.
I might have to reconcider and just pass it along with uid/pwd.