Today we will implement the Implict Grant Flow with OWIN.If you are not familiar with this OAuth flow then please refer here .
First let’s see what the request from client looks like
URL:
http://localhost:1234/api/auth?client_id=123456&redirect_uri=http://localhost:4321/TokenReciever.html&response_type=token
Method:
GET
Unlike the Resource Owner grant flow the parameters here are specified in request URL itself and not POSTed through body of request.
Now on to server side :
1. Required Packages
Same as in previous post on Resource Owner grant flow
2. OWIN Startup Class
Setup is same as stated in previous post but due to how implict flow works,we will not point to token endpoint.We will now point to authorization end point.
Code :
using System; using System.Collections.Generic; using System.Linq; using System.Web; using Microsoft.Owin; using Microsoft.Owin.Security.OAuth; using Owin; [assembly: OwinStartup(typeof(ImplictOAuthFlow.StartUp))] namespace ImplictOAuthFlow { public class StartUp { public void Configuration(IAppBuilder app) { app.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions { // the endpoint path which will be consumed via HTTP. e.g. http://website[:port]/api/auth AuthorizeEndpointPath = new PathString("/api/auth"), //Provider is a class which inherits from OAuthAuthorizationServerProvider.Will be covered next. Provider = new CustomAuthServer(), // mark true if you are not on https channel AllowInsecureHttp = true, }); // indicate our intent to use bearer authentication app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions { AuthenticationType = "Bearer", AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active, }); } } }
3. Provider class
For Implicit Grant flow we need to override different set of methods.
code :
using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Threading.Tasks; using System.Web; using Microsoft.Owin.Security.OAuth; namespace ImplictOAuthFlow { class CustomAuthServer : OAuthAuthorizationServerProvider { public override Task ValidateClientRedirectUri(OAuthValidateClientRedirectUriContext context) { //We validated that Client Id and Reditect Uri are indeed what we expect if (context.ClientId == "123456" && context.RedirectUri.Contains("localhost")) context.Validated(); else context.Rejected(); return Task.FromResult<object>(null); } public override Task AuthorizeEndpoint(OAuthAuthorizeEndpointContext context) { // The authentication types should be set to "Bearer" while setting up the ClaimsIdentity // I have set up basic mandatory ClaimsIdentity. You can add the necessary claims if required. System.Security.Claims.ClaimsIdentity ci = new System.Security.Claims.ClaimsIdentity("Bearer"); context.OwinContext.Authentication.SignIn(ci); context.RequestCompleted(); return Task.FromResult<object>(null); } } }
4. Receiving Token
Token is received in a redirect to the URL mentioned in “redirect_uri” parameter in request URL.So the response we get is :