Last post Aug 05, 2016 07:41 AM by tomlinjm
Jul 25, 2016 07:57 AM|tomlinjm|LINK
A little backstory, I'm playing around with .Net Core, it's OAuth and Cookie implimentations to do a database/identity-free auth system.
So far, I've been able to create a custom OAuth Middleware component and hook it up with the CookieAuthentication Middleware.
I then had some issues ensuring that the access_token was not being purged after it's expiration, the CookieMiddleware would continue to keep a user logged in until the cookie expired and never check to see if the access_token was still valid.
To solve this, I was able to create and inject an event into the CookieAuthenticationOptions which would, on every request, test the expiration of the access_token and sign the user out if it was expired:
AuthenticationScheme = CookieAuthenticationDefaults.AuthenticationScheme,
LoginPath = new PathString("/Auth/EveSSOLogin"),
AutomaticChallenge = true,
Events = new CookieAuthenticationEvents
OnValidatePrincipal = EveSSOClientValidator.ValidateAsync
public static async Task ValidateAsync(CookieValidatePrincipalContext context)
DateTime expires = DateTime.MinValue;
var tokens = context.Properties.GetTokens();
var accessToken = tokens.FirstOrDefault(t => t.Name.Equals("access_token", StringComparison.OrdinalIgnoreCase))?.Value;
var expiresString = tokens.FirstOrDefault(t => t.Name.Equals("expires_at", StringComparison.OrdinalIgnoreCase))?.Value;
if (string.IsNullOrWhiteSpace(expiresString) ||
!DateTime.TryParse(expiresString, CultureInfo.InvariantCulture, DateTimeStyles.AssumeUniversal, out expires) ||
DateTime.UtcNow > expires.ToUniversalTime())
The issue I'm having now, is that I need to handle refresh tokens. Surprisingly, there doesn't appear to be any built-in support to handle refresh tokens. Does Identity handle this? So I've been looking around for a decent place to intercept
the request and perform the process of refreshing the token and saving the new token data, if it fails, then let it proceed with the re-authorization.
To do this, I need access to the ClientId, ClientSecret and the refresh_token, all at the same time. But the CookieAuthentication middleware contains the refresh_token and my OAuthAuthentication middleware contains both ClientId and ClientSecret,
and I have yet to find a place where these two meet.
So that's where I'm stuck now and after being at this for the better part of a day, I am asking for help. Even pointing me to the right area in the source code would be beneficial as I almost feel like I've memorized everything to do with Microsoft.AspNetCore.Authentication and Microsoft.AspNetCore.Authentication.OAuth.
Just in case you want punish yourself by viewing bad code, you can see the full project here (word of warning, it's messier than normal because I've been testing various things).
Jul 27, 2016 04:04 PM|tomlinjm|LINK
Maybe it's too early after the release of Core?
Jul 30, 2016 04:36 PM|imran_ku07|LINK
If you trying to implement OpenId Connect(on top of OAUTH2) then you can use the following libraries,
http://kevinchalet.com/2016/07/13/creating-your-own-openid-connect-server-with-asos-introduction/ (OpenIddict or OpenIdConnect.Server)
Aug 02, 2016 06:13 PM|tomlinjm|LINK
So me doing the pseudo-auth using OAuth2 is essentially what OpenID Connect is and I would need another layer in the middle (Identity) to do it properly?
Aug 05, 2016 07:41 AM|tomlinjm|LINK
Okay, so I've been reading up on OpenID Connect and understand that OAuth2 is just an Authorization protocol, yet it's been widely used as an Authentication and Authorization protocol. If I understand OIDC correctly, it uses OAuth2 as the Authorization
component but then uses JWTs for the Authentication part. That JWT is sent from the Authentication server in conjunction with tokens(?).
If I only have a SSO that works with the OAuth2 Authorization Grant flow that I need to utilize as both the Authentication AND Authorization server. Given the nature of the data/service used, it's not as important for me to worry about the various security
implications of using a protocol that wasn't designed for Authentication.
So I have my OAuth2 middleware setup and using CookieAuthentication middleware to persist that information as a cookie. Everything works great up until the access_token expires and I need to get a refresh_token. There is no built in way to deal with that
and that's where I'm stuck.
OpenID Connect didn't seem to be the answer either as the Authentication part of OIDC appears to require a JWT from the Authentication server but since the server is strictly OAuth2, it won't work for me.
Maybe I'm not fully understanding OIDC. Just to be clear, I'm not trying to implement anything other than OAuth2 and the various mechanisms in that protocol, most specifically, Authentication/Authorization and the use of refresh_tokens.