All geek questions in one place

Implementing your own oauth2 server and api server

we are trying to implement oauth 2 and api servers (both are different servers). (using nodejs for everyone)

enter image description here

we use https://github.com/FrankHassanabad/Oauth2orizeRecipes authorization code stream

we need to write a new validateToken function on the oauth server and just push it with api to authenticate only this user.

we are thinking of keeping users and roles on the Oauth side, but we need to test them on the api side before giving an answer on the api.

we are trying to use it for authentication purposes, as well as for cms and mobile application. we are on the right track or something is missing.

+5
source share
2 answers

I looked at more details, I got the implementation of tokeninfo inside Oauth2orizeRecipes.

https://github.com/FrankHassanabad/Oauth2orizeRecipes/wiki/Token-Info-Endpoint

still a couple of incomprehensible questions to me, will update the answer again.

0
source

(I came across a similar situation in .Net, so in the context of this)

No, if you use oauth, you do not need to write a new validation token method. Because OAuthBearerAuthenticationProvider does this behind the scenes

app.UseJwtBearerAuthentication( new JwtBearerAuthenticationOptions { AuthenticationMode = AuthenticationMode.Active, AllowedAudiences = new[] { audience }, IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[] { new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret) }, Provider = new OAuthBearerAuthenticationProvider { OnValidateIdentity = context => { context.Ticket.Identity.AddClaim(new System.Security.Claims.Claim("newCustomClaim", "newValue")); return Task.FromResult<object>(null); } } });

(according to my experience). But if you want, it is possible to configure the Provider in your "startup" file:

 app.UseJwtBearerAuthentication( new JwtBearerAuthenticationOptions { AuthenticationMode = AuthenticationMode.Active, AllowedAudiences = new[] { audience }, IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[] { new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret) }, Provider = new CustomOAuthBearerProvider() });

CustomOAuthBearerProvider inherits the IOAuthBearerAuthenticationProvider interface, which has a predefined signature for the RequestToken () method, and this method is called before any validation for the token. Therefore, I think you can use it for your custom token validation operations, and then send the token for OAuth verification.

0
source

Source: https://habr.com/ru/post/1240425/

More articles:


All Articles