How are carrier tokens (OAuth2) created?

Question

How are carrier tokens (OAuth2) created?

I want to know what is the internal process for encrypting and decrypting the carrier token used in OAuth2 and the code in Identity Asp.Net.

As soon as the server receives the token, it can retrieve UserId, Roles, Claims and all properties in it. So how are carrier tokens decrypted? What is the encryption algorithm and the code used?

+6

asp.net-web-api oauth-2.0 encryption asp.net-identity bearer-token

Xavier egea Sep 16 '14 at 21:20

source share

3 answers

Eugenio pace · Answer 1 · 2014-09-17T03:38:00+0000

Where do you get the token from? Tokens are rarely encrypted (sometimes they are), but they will always be encoded (and signed). OpenID (protocol over OAuth2) uses JWT. OAuth2 (not OpenID) uses opaque tokens.

See http://jwt.io for libraries on JWT decoding.

Legends · Answer 2 · 2016-05-31T16:43:44+0000

Here is a small Windows Forms tool that decrypts OAuth 2.0 marker tokens using MachineKeyDataProtector .

So, if your application is hosted in IIS, you can use the above tool.

OAuth 2.0 Bearertoken gets:

Serialized to binary format
MachineKey is encrypted (DPAPI is used when the application is self-serving, etc.)
Base64 encoded

Philip nelson · Answer 3 · 2014-09-17T19:59:08+0000

Here is a short answer, I have it all the time. OAuthBearerTokenOptions contains the code needed to create the token. It should be configured in your owin run.

 app.UseOAuthBearerAuthentication(OAuthBearerOptions);

Given that ...

 var ticket = new AuthenticationTicket(identity, new AuthenticationProperties()); var currentUtc = new SystemClock().UtcNow; ticket.Properties.IssuedUtc = currentUtc; ticket.Properties.ExpiresUtc = currentUtc.Add(TimeSpan.FromMinutes(expirationMinutes)); string accessToken = oAuthBearerAuthenticationOptions.AccessTokenFormat.Protect(ticket);

How are carrier tokens (OAuth2) created?

More articles: