Last post Oct 22, 2015 05:28 AM by Weibo Zhang
Oct 20, 2015 09:55 PM|Oleg Gochachko|LINK
I have implemented WebApi site with OAuth authorization and authentication inside
OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(1),
Provider = _unityConfiguration.Resolve<SimpleAuthorizationServerProvider>(),
RefreshTokenProvider = _unityConfiguration.Resolve<SimpleRefreshTokenProvider>(),
ApplicationCanDisplayErrors = true
// Token Generation
Lets say this WebApi located on http://mywebapi.com/
So now i may develop or allow any amount of WebUI sites to access this WebApi by requesting http://mywebapi.com/token with their uniue client_id and client_secret using user/password or refresh_token information.
Also there is implemented WebApi method like http://mywebapi.com/api/account/activeUser which return all needed information about active user
Based on this information WebSites / Desktop client / whatever may convert to ClaimsIdentity object.
MY CURRENT ACTIONS:
On WebUI site I have
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Site does not have access to the database. All actions is done through WebApi. All registered users, roles, allowed actions and claims should be / will be given by WebApi also.
For sure I may develop (and already developing) logic on one of such sites which will call http://mywebapi.com/token on login using HttpClient, which will call refresh token on received 401 error (ActionFilterAttribute) or redirect to account/login page to
enter user credential again if refresh token method returns 400 error.
But this is my own implementation and i this to think about other business cases like register user, cookie expiration and so on.
Is there is simpler standard way to automatically call http://mywebapi.com/token whenewer it needed (login, refresh token), expire website cookie when bearer access token / refresh token expired and so on?
If possible please provide code pieces :) Thanks.
Oct 21, 2015 08:26 PM|Oleg Gochachko|LINK
Guys, I don't understand is this requirement is so fantastic? :)
Maybe there is another approach?
The simplified task is:
1. There is WebApi. It contains all business logic and information about the users.
2. There is Web Application. It uses WebApi to execute business logic and get information about the user.
3. Users have rights. For example "access_admin_page". If user has not such right - webApi returns 403 error. At the same time Web Application (have knows that user has not such right - and do not shows "Admin" link to user.)
4. When user LogIn on Web application - it authorizing on WebApi which returns AccessToken and RefreshToken and updates information about user (User.Identity). If access token expired - Web App refresh AccessToken using RefreshToken and updates user information.
If RefreshToken expired - redirects to Login page.
That is it. But this is so complex to perform with these "Middleware-s" that event MVPs on this site have no idea how to do this because there is ZERO answers during one day :)
Oct 22, 2015 05:28 AM|Weibo Zhang|LINK
Hi Oleg Gochachko,
I think you’d better not use the Web API to execute all the authentication validation business logic. The better way is let the Web API pass a special information to indicate current user roles or a role tag. Then you could get the value in the client applications
and then build and check the permissions in the respective application. So that, you could let the Web API as the authentication center and could provide services for more applications. If implement it as you said above and you want to use this web API in
many applications that have different authentication validation business logic, you need to modify your web API continually. You’d better make the Web API as an oauth endpoint.
I hope it’s useful to you.