Last post Dec 04, 2015 05:28 PM by jbowen014
Dec 03, 2015 06:05 PM|jbowen014|LINK
There is a good article on how to share cookies between ASP.NET 4.x and ASP.NET 5 applications (http://docs.asp.net/en/latest/security/data-protection/compatibility/cookie-sharing.html),
but is there a similar way to share Bearer Tokens?
For instance, I have a central authentication server that hands out bearer tokens that is written in ASP .NET 4.5.1 with Identity Framework 2.x. My dependent application, written in ASP .NET 5, will get a bearer token from the central authentication server
and use that bearer token for calling protected endpoints (using claims) in the dependent application. How can I get the two applications to share the bearer token (i.e. so the dependent application can parse the bearer token)? I already followed the article
for sharing cookies between them and that is working well.
Dec 03, 2015 07:15 PM|maherjendoubi|LINK
Are you using the OAuth2 authorization server that comes with Katana?
Dec 03, 2015 07:28 PM|jbowen014|LINK
Yes, that is being used in the auth server. I used this article as a guide: http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
Dec 03, 2015 07:45 PM|maherjendoubi|LINK
You have 2 options: updating the authorization server to use a custom format class relying on the new data protection block (since it has completely changed).Or creating a new middleware to validate the access tokens issued by your authorization server,
using the old data protection system. By default,
ASP.NET 5 only supports JWT tokens.
Dec 03, 2015 08:06 PM|jbowen014|LINK
Thank you for the quick response. I've already updated the authorization server to use a custom format class to share cookies (http://docs.asp.net/en/latest/security/data-protection/compatibility/cookie-sharing.html).
I wasn't sure what to do in the ASP .NET 5 application to read the bearer token. For cookies, the article gave code examples for how to register the cookie authentication middleware to read the cookie. I was hoping for something similar for this situation.
I'm sure it's something simple I'm overlooking.
Dec 03, 2015 08:23 PM|BrockAllen|LINK
The other approach is to look into using IdentityServer as your token service.
Dec 03, 2015 08:57 PM|jbowen014|LINK
Unfortunately I cannot swap out the authentication server. There's a lot of custom code around authenticating organizations along with authenticating users. I'll have to look into the suggestion of writing custom middleware to parse the Bearer Token.
Dec 04, 2015 05:28 PM|jbowen014|LINK
I was able to parse the bearer token in my ASP .NET 5 application. I'm not claiming this is the absolute best method, but it works and is straight forward.
this article on how to share cookies between ASP.NET 4.x and ASP.NET 5 applications.
In your ASP .NET 4.5.1 authentication server, use the following code in your Startup.Auth file
DataProtectionProvider dataProtectionProvider = new DataProtectionProvider(new DirectoryInfo("<Your Keys Path Here>"), configure => configure.ProtectKeysWithDpapi(true));
IDataProtector dataProtector = dataProtectionProvider.CreateProtector("<Your Purpose Here>");
OAuthOptions = new OAuthAuthorizationServerOptions
//...Shortened for brevity
AccessTokenFormat = new AspNet5TicketDataFormat(new DataProtectorShim(dataProtector), "<Your Purpose Here>"),
AuthorizationCodeFormat = new AspNet5TicketDataFormat(new DataProtectorShim(dataProtector), "<Your Purpose Here>"),
RefreshTokenFormat = new AspNet5TicketDataFormat(new DataProtectorShim(dataProtector), "<Your Purpose Here>"),
In your ASP .NET 5 application, add a new middleware class
public class OAuth2BearerTokenAuthentication
private const string BearerIdentifier = "Bearer";
private const string Purpose = "<Your Purpose Here>"; // This must match the authentication server.
private readonly RequestDelegate _next;
public OAuth2BearerTokenAuthentication(RequestDelegate next)
_next = next;
public async Task Invoke(HttpContext context)
StringValues authorizeHeader = context.Request.Headers["Authorization"];
if (authorizeHeader != StringValues.Empty)
string token = authorizeHeader.FirstOrDefault();
if (token?.StartsWith(BearerIdentifier, StringComparison.OrdinalIgnoreCase) ?? false)
token = token.Replace(BearerIdentifier, string.Empty).TrimStart();
DataProtectionProvider provider = new DataProtectionProvider(new DirectoryInfo("<Your Keys Path Here>"), configure => configure.ProtectKeysWithDpapi(true));
IDataProtector dataProtector = provider.CreateProtector(Purpose);
string jsonResult = dataProtector.Unprotect(token);
TicketSerializer serializer = new TicketSerializer();
AuthenticationTicket ticket = serializer.Deserialize(Encoding.UTF8.GetBytes(jsonResult));
context.User = ticket.Principal;
catch (Exception ex)
// Log the error or do whatever you want with it.
Make sure to add this middleware in your Startup file.