ASP. NET Web API with Owin OAuth: Calling protected APIs using Access Toke

In the previous blog post, we used the OAuth client credential grant authorization method on the server side via Cnblogsauthorizationserverprovider (Authorization An implementation of the server successfully issued the access token and successfully received the access token on the client.

What's the use of Access tokens? Authentication of Access to resource Server (such as Web API) in OAuth is based on access Token. No matter what kind of client to call, Resource server is always untouchables, just recognize access Token.

access token validation with OAuth enabled in the ASP. NET Web API is simple, just add the [authorize] tag to the appropriate controller or action, such as:

[Authorize]  Public class valuescontroller:apicontroller{    //  GET api/valuespublic     IEnumerable <string> Get ()    {        returnnewstring"  value1""value2"  };}    }

After adding [authorize], if you do not use Access Token, the following error occurs when you invoke the API:

{"Message": "Authorization have been denied for this request."}

At this point you may ask, why does the addition of [authorize] have this effect? How did the original forms verification not work?

The reason is that when you create the ASP. NET Web API project with Visual Studio, VS automatically adds the appropriate code to you, opens the WebApiConfig.cs, and you see the following 2 lines of code:

Config. Suppressdefaulthostauthentication (); config. Filters.add (New Hostauthenticationfilter (Oauthdefaults.authenticationtype));

This is the 2 lines of code that changed the role of [authorize].

Enabling OAuth validation in the ASP. is simple (behind the scenes, Microsoft implements the Owin-based OAuth, which implements the source code in the Katana project).

How does the client use access token to invoke the Web API?

Also very simple, as long as the HTTP request header to add Bearer:token, the client calls the sample code as follows:

     Public classOauthclienttest {PrivateHttpClient _httpclient;  Publicoauthclienttest () {_httpclient=NewHttpClient (); _httpclient.baseaddress=NewUri ("http://openapi.cnblogs.com"); } [Fact] Public AsyncTask Call_webapi_by_access_token () {vartoken =awaitGetaccesstoken (); _httpclient.defaultrequestheaders.authorization=NewAuthenticationheadervalue ("Bearer", token); Console.WriteLine (await(await_httpclient.getasync ("/api/values")).        Content.readasstringasync ()); }        Private Asynctask<string>Getaccesstoken () {varParameters =Newdictionary<string,string>(); Parameters. ADD ("client_id","1234"); Parameters. ADD ("Client_secret","5678"); Parameters. ADD ("Grant_type","client_credentials"); varResponse =await_httpclient.postasync ("/token",Newformurlencodedcontent (parameters)); varResponsevalue =awaitResponse.                            Content.readasstringasync (); returnJobject.parse (Responsevalue) ["Access_token"]. value<string>(); }    }

The results of the operation are as follows:

["Value1", "value2"]

Get!

The integration of the ASP. NET Web API and OAuth based on the Owin implementation makes the original complex problem simple.

ASP. NET Web API with Owin OAuth: Calling protected APIs using Access Toke