Building Oauth2 server with Ms Owin

Http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server

There are sample code

About token encryption and decryption

Server Side

App. Useoauthauthorizationserver (oauthauthorizationserveroptions{

Where Accesstokenformat can set the identity of the serialization and encryption, unfortunately cannot be used in simple JSON or XML, because there is a circular reference

is a class that implements the Isecuredataformat < Authenticationticket > There are circular references in the Authenticationticket, so JSON cannot

Resource End

App. Useoauthbearerauthentication (Microsoft.Owin.Security.OAuth. oauthbearerauthenticationoptions () {    accesstokenformat= ... });

To be set to the same processing mode

Server-side encryption, resource-side decryption

About the Base64 string in a cookie

In the sample code, authentication is MVC5 new identiy, and my identity authentication is customized (based on a previous web site). The base64 character is stored in the cookie, and there may be a plus sign (+)

Obtained with the original Request.cookie, the plus sign is taken to be the plus sign

But by Iowincontext out, the + sign becomes a space.

Pay attention to this part of the process

About client and server-side interactions

The entire oauth can be considered as having 3 parties

1. OAuth Authentication Service (server)

2. API Service (Resource)

3. Web site to invoke API (client)

The ultimate goal is for the client to obtain resource data, but resource's data is not available to anyone, so it needs to be authenticated and authorized by the server first.

If you are using. NET to develop the client and the server side, then according to the example, with Dotnetopenauth.oauth2 this, is also very convenient

But we build OAuth to serve other sites, not just for. NET, so it's important to understand the client's process

First of all, for each third-party client (website or mobile app, etc.) need to assign him (or set his own)

1, Client ID string, can uniquely identify a third-party application

2, secret the corresponding key

3, after the redirect URI authentication, the authentication service jumps the Transfer application's page, this page receives the return token

The overall process is as follows

1, the client in need of authentication, jump to the authentication server

Http://server/OAuth/Authorize?client_id=...&redirect_uri=...&state=...&response_type=code

At this point, the page will stay in the authentication server, the browser point to determine the button (if not logged in, will first jump to the login page, login and return to this page)

When the user point determines (agrees to authorize), will jump the transfer to the Redirect_uri this parameter corresponding URL,

such as Http://www.abc.com/test/authback

Then there will be parameters in the back.

? code=....&state= ....

Where state is what you send to the service, the service will return you nothing.

You can, before sending to the server, generate some random numbers and then save them in a cookie, and when the servers return, match the cookie to determine whether there has been hijacked or other changes in the process.

Code is a key thing, and then we're going to write some programs to launch a request to the service that will use this code

2. Http://server/OAuth/Token sends a POST request to this address, and

The value of the form includes

Redirect_uri=...&grant_type=authorization_code&code= ...

Where code, is the last step to get to the Code,grant_type is fixed value (here only for authorizationcodegrant this way)

Redirect_uri is still the same address (note that this is not a different address, because when registering the application, only set the address, so for all the return to the application of the address, to use this one)

And, to pass in the header

clientid+ Colon +secret (clientid+ ":" +secret)

Turn this result into a Base64 string using the UTF8 encoding method

Authorization the value in this header is "Basic" +base64 string (note that there is a space)

If everything is OK, we can get a JSON return value that includes access Token,refresh token, expiration time, etc.

3, take access token to the API server to obtain data

Again, when we request the API, we need to set the header

The Authorization value is "bearer" +accesstoken

About Expiration time and refresh

The JSON you get in the second step, in addition to access token, will have

Expires_in and Refresh_token

Expires_in is seconds.

If it expires, you can take Refresh_token to regain a

Post Request Http://server/OAuth/Token

Head is the same as the second step

Form

Grant_type = refresh_token (fixed value)

Refresh_token (second step to get the string)

After the request succeeds, get to JSON (as in the second step format)

Owin option in server can set Authorizationcode and Accesstoken time, default is 5 minutes and 20 minutes

Building Oauth2 server with Ms Owin