We have OWIN OAuth 2.0 (thanks to this fantastic post ), but I needed to learn a little more about the actual process of converting ClaimsIdentity to the actual access_token in the HTTP response.
We create ClaimsIdentity by this method in our OAuth authorization provider:
public class SimpleAuthorizationServerProvider : OAuthAuthorizationServerProvider { // <snip> public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { // validation, user checking code here var identity = new ClaimsIdentity(context.Options.AuthenticationType); identity.AddClaim(new Claim("sub", context.UserName)); identity.AddClaim(new Claim("role", "user")); context.Validated(identity); } }
And when we make an HTTP POST request as grant_type=password&username=user007&password=jamesbond (relax, the password is ok here), we get the HTTP POST response body
{"access_token":"9K8VtOBseU0-XZfdGe2_urn2HESY3jLkpgvowOQFPXsHeWNOrTlTVzfPu35ZEvr4AqSj_b0laesBegtVWuR8R-aItnNXw4vXiuCg0cTNMUKP_yfi89VhD446o2X6ffL8upwZVILpomweSweIVlDmwUDzIwf1ZqubrQ8vuiQDFu-_7vpjPwJ5yVvomQ75agsJWMZk-H_bVWSObds82aM8LCRJwb2bUJchr6_L1GP8xdXqRQz24uDhHvco-XByyMSMzZm-Qo0VVBbocbgP64OJulbihVG_W9e8G69UfbX99pIYiLyE4jixiUtjOKSiMYBISW3_fg","token_type":"bearer","expires_in":1799,"as:client_id":"","userName":"user007",".issued":"Fri, 31 Oct 2014 16:02:05 GMT",".expires":"Fri, 31 Oct 2014 16:32:05 GMT"}
Question: What is the logic that creates the actual access_token string?
Some specific issues in question
- What is the internal structure of this
access_token string? - Encrypted or signed, or both? What key is used (suppose IIS / Azure Cloud Service)?
- How can we override an implementation that generates the actual string sent and then checks for the same token / string on subsequent calls?
thanks
source share