Last post Mar 27, 2019 09:06 AM by CraigBurton
Mar 26, 2019 05:59 PM|CraigBurton|LINK
Part-built a WebAPI and trying to add in OAuth2 (in token refresh). Seeing lots of walk-throughs, demos, etc that generally have parts or start from a different point (e.g. don't implement refresh or use Mobile apps helpers) and trying to mash these together
with existing WebAPI is proving a struggle. Before I go any further, is having the auth and API in the same API desirable or is something like the sample OWIN
OAuth 2.0 Authorization Server the way to go (separate auth server, API then just checks it has a valid token where authorisation is required)?
And/or pointers to better examples / best practice, would be much appreciated! Requirements are: OAuth2 authentication, using client credentials (username+password if I read that right), with expiring access tokens, plus refresh tokens. Ideally would be
able to logout of a session, but understand that is not really the way the tokens work. Credentials are checked against an existing database. Access to the API is initially via a Windows app.
Many thanks, Craig
Mar 26, 2019 06:24 PM|mgebhard|LINK
is having the auth and API in the same API desirable or is something like the sample OWIN OAuth 2.0 Authorization Server the way to go (separate
auth server, API then just checks it has a valid token where authorisation is required)?
I feel it is better. The auth server does one thing.
And/or pointers to better examples / best practice, would be much appreciated!
The best place is the RFCs which describe the standards. At least that's what helped me.
Mar 27, 2019 04:35 AM|Nan Yu|LINK
I would suggest create separate auth server like Identity provider , or if you want
hosted solution, you might consider something like Azure Active Directory. Then your web api will be resource which protected by auth server , you can use client credential flow to acquire access token for accessing your api .
Mar 27, 2019 09:06 AM|CraigBurton|LINK
Thanks both for the advice - separate auth looks like the way to go.