i'm trying custom oauth2 authorization server support resource owner password credentials flow. authorization server webapi application hosted in iis7.5.
i have configured startup class register custom oauthserverprovider (atcauthorizationserverprovider).
[assembly: owinstartup(typeof(atc.webapi.authorizationserver.startup))] namespace atc.webapi.authorizationserver { public class startup { public void configuration(iappbuilder app) { configureoauth(app); httpconfiguration config = new httpconfiguration(); webapiconfig.register(config); app.usewebapi(config); app.usecors(microsoft.owin.cors.corsoptions.allowall); } public void configureoauth(iappbuilder app) { oauthauthorizationserveroptions oauthserveroptions = new oauthauthorizationserveroptions() { allowinsecurehttp = true, tokenendpointpath = new pathstring("/token"), accesstokenexpiretimespan = timespan.fromminutes(30), provider = new atcauthorizationserverprovider(), refreshtokenprovider = new atcrefreshtokenprovider(), authenticationmode = authenticationmode.passive }; // token generation app.useoauthauthorizationserver(oauthserveroptions); app.useoauthbearerauthentication(new oauthbearerauthenticationoptions(){}); } } } in custom provider class, override validateclientauthentication() function accept both client credentials receiving ways (in body , in authorization header).
public class atcauthorizationserverprovider : oauthauthorizationserverprovider { public override async task validateclientauthentication(oauthvalidateclientauthenticationcontext context) { string clientid = string.empty; string clientsecret = string.empty; // client credentials header or body if (!context.trygetbasiccredentials(out clientid, out clientsecret)) { context.trygetformcredentials(out clientid, out clientsecret); } //rest of code everything works fine when send client_id , client_secret in body.
post /atc.webapi.authorizationserver/token http/1.1 host: localhost accept: application/json content-type: application/x-www-form-urlencoded cache-control: no-cache grant_type=password&password=123456&username=myuser&client_id=myclient&client_secret=123%40abc i access token successfully.
{ "access_token": "3fk_ps10i45ul0zeczipveh2whke8ijvntkj2xgwcqwxst9jllkf...", "token_type": "bearer", "expires_in": 1799, "refresh_token": "4c1097d17dd14df5ac1c5842e089a88e", "as:client_id": "myclient" } however, if use dotnetopenauth.oauth2.webserverclient passes client_id , client_secret in authorization header recieve 401.1 - unauthorized http response. have found out validateclientauthentication() not fired.
request looks this:
post /atc.webapi.authorizationserver/token http/1.1 host: localhost accept: application/json content-type: application/x-www-form-urlencoded authorization: basic c16b34lujeym0bhymm= cache-control: no-cache grant_type=password&password=123456&username=myuser the question how persuade owin middle-ware firing custom provider in case?
well, found out trouble. there basic authentication allowed in iis, iis got request , tried authenticate user failed , iis returned 401 unauthorized immediately. owin middleware did not receive request processing.
Comments
Post a Comment