The OAuth 2.0 framework enables a third-party app to obtain limited access to an HTTP service. Instead of using the resource owner's credentials to access a protected resource, the client obtains an access token (which is a string denoting a specific scope, lifetime, and other access attributes). Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner.
This tutorial will cover:
- How to create an authorization server to support four authorization grant types and refresh tokens:
- Authorization code grant
- Implicit Grant
- Resource Owner Password Credentials Grant
- Client Credentials Grant
- Creating a resource server which is protected by an access token.
- Creating OAuth 2.0 clients.
app.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions {Provider = new OAuthAuthorizationServerProvider { OnValidateClientRedirectUri = ValidateClientRedirectUri, OnValidateClientAuthentication = ValidateClientAuthentication, OnGrantResourceOwnerCredentials = GrantResourceOwnerCredentials, OnGrantClientCredentials = GrantClientCredetails }};
// Summary:
// Called when a request to the Token endpoint arrives with a "grant_type" of "client_credentials".
// This occurs when a registered client application wishes to acquire an "access_token"
// to interact with protected resources on it's own behalf, rather than on behalf
// of an authenticated user. If the web application supports the client credentials
// it may assume the context.ClientId has been validated by the ValidateClientAuthentication
// call. To issue an access token the context.Validated must be called with a new
// ticket containing the claims about the client application which should be associated
// with the access token. The application should take appropriate measures to ensure
// that the endpoint isn’t abused by malicious callers. The default behavior is
// to reject this grant type. See also http://tools.ietf.org/html/rfc6749#section-4.4.2
public Func<OAuthGrantClientCredentialsContext, Task> OnGrantClientCredentials { get; set; }