Http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server
There are sample code
About token encryption and decryption
Server Side
App. Useoauthauthorizationserver (oauthauthorizationserveroptions{
Where Accesstokenformat can set the identity of the serialization and encryption, unfortunately cannot be used in simple JSON or XML, because there is a circular reference
is a class that implements the Isecuredataformat < Authenticationticket > There are circular references in the Authenticationticket, so JSON cannot
Resource End
App. Useoauthbearerauthentication (Microsoft.Owin.Security.OAuth. oauthbearerauthenticationoptions () { accesstokenformat= ... });
To be set to the same processing mode
Server-side encryption, resource-side decryption
About the Base64 string in a cookie
In the sample code, authentication is MVC5 new identiy, and my identity authentication is customized (based on a previous web site). The base64 character is stored in the cookie, and there may be a plus sign (+)
Obtained with the original Request.cookie, the plus sign is taken to be the plus sign
But by Iowincontext out, the + sign becomes a space.
Pay attention to this part of the process
About client and server-side interactions
The entire oauth can be considered as having 3 parties
1. OAuth Authentication Service (server)
2. API Service (Resource)
3. Web site to invoke API (client)
The ultimate goal is for the client to obtain resource data, but resource's data is not available to anyone, so it needs to be authenticated and authorized by the server first.
If you are using. NET to develop the client and the server side, then according to the example, with Dotnetopenauth.oauth2 this, is also very convenient
But we build OAuth to serve other sites, not just for. NET, so it's important to understand the client's process
First of all, for each third-party client (website or mobile app, etc.) need to assign him (or set his own)
1, Client ID string, can uniquely identify a third-party application
2, secret the corresponding key
3, after the redirect URI authentication, the authentication service jumps the Transfer application's page, this page receives the return token
The overall process is as follows
1, the client in need of authentication, jump to the authentication server
Http://server/OAuth/Authorize?client_id=...&redirect_uri=...&state=...&response_type=code
At this point, the page will stay in the authentication server, the browser point to determine the button (if not logged in, will first jump to the login page, login and return to this page)
When the user point determines (agrees to authorize), will jump the transfer to the Redirect_uri this parameter corresponding URL,
such as Http://www.abc.com/test/authback
Then there will be parameters in the back.
? code=....&state= ....
Where state is what you send to the service, the service will return you nothing.
You can, before sending to the server, generate some random numbers and then save them in a cookie, and when the servers return, match the cookie to determine whether there has been hijacked or other changes in the process.
Code is a key thing, and then we're going to write some programs to launch a request to the service that will use this code
2. Http://server/OAuth/Token sends a POST request to this address, and
The value of the form includes
Redirect_uri=...&grant_type=authorization_code&code= ...
Where code, is the last step to get to the Code,grant_type is fixed value (here only for authorizationcodegrant this way)
Redirect_uri is still the same address (note that this is not a different address, because when registering the application, only set the address, so for all the return to the application of the address, to use this one)
And, to pass in the header
clientid+ Colon +secret (clientid+ ":" +secret)
Turn this result into a Base64 string using the UTF8 encoding method
Authorization the value in this header is "Basic" +base64 string (note that there is a space)
If everything is OK, we can get a JSON return value that includes access Token,refresh token, expiration time, etc.
3, take access token to the API server to obtain data
Again, when we request the API, we need to set the header
The Authorization value is "bearer" +accesstoken
About Expiration time and refresh
The JSON you get in the second step, in addition to access token, will have
Expires_in and Refresh_token
Expires_in is seconds.
If it expires, you can take Refresh_token to regain a
Post Request Http://server/OAuth/Token
Head is the same as the second step
Form
Grant_type = refresh_token (fixed value)
Refresh_token (second step to get the string)
After the request succeeds, get to JSON (as in the second step format)
Owin option in server can set Authorizationcode and Accesstoken time, default is 5 minutes and 20 minutes
Building Oauth2 server with Ms Owin