Return more info to the client using OAuth Bearer Tokens Generation and Owin in WebApi

by

You can add as many claims as you want.
You can add the standard set of claims from System.Security.Claims or create your own.
Claims will be encrypted in your token so they will only be accessed from the resource server.

If you want your client to be able to read extended properties of your token you have another option: AuthenticationProperties.

Let’s say you want to add something so that your client can have access to. That’s the way to go:

var props = new AuthenticationProperties(new Dictionary<string, string>
{
    { 
        "surname", "Smith"
    },
    { 
        "age", "20"
    },
    { 
    "gender", "Male"
    }
});

Now you can create a ticket with the properties you’ve added above:

var ticket = new AuthenticationTicket(identity, props);
context.Validated(ticket);

That’s the result your client will fetch:

.expires: "Tue, 14 Oct 2014 20:42:52 GMT"
.issued: "Tue, 14 Oct 2014 20:12:52 GMT"
access_token: "blahblahblah"
expires_in: 1799
age: "20"
gender: "Male"
surname: "Smith"
token_type: "bearer"

On the other hand if you add claims you will be able to read them in your resource server in your API controller:

public IHttpActionResult Get()
{
    ClaimsPrincipal principal = Request.GetRequestContext().Principal as ClaimsPrincipal;

    return Ok();
}

Your ClaimsPrincipal will contain your new claim’s guid which you’ve added here:

identity.AddClaim(new Claim("guid", user.UserGuid.ToString()));

If you want to know more about owin, bearer tokens and web api there’s a really good tutorial here and this article will help you to grasp all the concepts behind Authorization Server and Resource Server.

UPDATE:

You can find a working example here. This is a Web Api + Owin self-hosted.
There’s no database involved here.
The client is a console application (there’s a html + JavaScript sample as well) which call a Web Api passing credentials.

As Taiseer suggested, you need to override TokenEndpoint:

public override Task TokenEndpoint(OAuthTokenEndpointContext context)
{
    foreach (KeyValuePair<string, string> property in context.Properties.Dictionary)
    {
        context.AdditionalResponseParameters.Add(property.Key, property.Value);
    }

    return Task.FromResult<object>(null);
}

Enable ‘Multiple Startup Projects’ from Solution -> Properties and you can run it straight away.

More Related Contents:

  1. Validate a username and password against Active Directory?
  2. No connection could be made because the target machine actively refused it?
  3. Dependency Injection in attributes
  4. Dot character ‘.’ in MVC Web API 2 for request such as api/people/STAFF.45287
  5. Unauthorised webapi call returning login page rather than 401
  6. How to use JWT in MVC application for authentication and authorization?
  7. How can I make SMTP authenticated in C#
  8. Web API 2: how to return JSON with camelCased property names, on objects and their sub-objects
  9. Newtonsoft JSON dynamic property name
  10. JsonConverter with Interface
  11. OWIN Security – How to Implement OAuth2 Refresh Tokens
  12. Token Based Authentication in ASP.NET Core (refreshed)
  13. C# – HttpWebRequest POST (Login to Facebook)
  14. How do I log a user out when they close their browser or tab in ASP.NET MVC?
  15. ASP.NET Core 2.0 disable automatic challenge
  16. OWIN’s GetExternalLoginInfoAsync Always Returns null
  17. Order of execution with multiple filters in web api
  18. ASP.NET Identity Cookie across subdomains
  19. How do you login/authenticate a user with Asp.Net MVC5 RTM bits using AspNet.Identity?
  20. How to get the logon SID in C#
  21. Copy file on a network shared drive
  22. Web API optional parameters
  23. Simple JWT authentication in ASP.NET Core 1.0 Web API
  24. How to return a PDF from a Web API application
  25. Web API and OData- Pass Multiple Parameters
  26. Unhandled Exception Global Handler for OWIN / Katana?
  27. Adding a custom query backed Navigation Property to ODataConventionModelBuilder
  28. Using a wwwroot folder (ASP.NET Core style) in ASP.NET 4.5 project
  29. Using C# to authenticate user against LDAP
  30. AuthenticateRequest event

Leave a Comment