Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
DotNetOpenAuth
Home
+ new post
About this group
Join this group
DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   Messages 1 - 25 of 34 - Collapse all  -  Translate all to Translated (View all originals)   Newer >
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Andrew Arnott  
View profile  
 More options Jul 24 2012, 8:19 pm
From: Andrew Arnott <andrewarn...@gmail.com>
Date: Tue, 24 Jul 2012 17:19:51 -0700
Local: Tues, Jul 24 2012 8:19 pm
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

The OAuthAuthorizationServer  and OAuthResourceServer samples that you can
get from  http://sourceforge.net/projects/dnoa/files/latest/  should
outline how to build the server(s).  They don't demonstrate a resource
owner password grant but that should hopefully be a straightforward
addition.

It appears that you're sending the user credentials to the authorization
endpoint, which is incorrect.  You should send these to the *token* endpoint
instead.

As for the HTTPS requirement, DNOA *should *be honoring the web.config
setting but maybe that bit is buggy.  Can you include your web.config file
so I can check it for accuracy? (be sure to scrub it of any confidential
data)
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre

On Tue, Jul 24, 2012 at 2:47 PM, Rich Miller <richmiller...@gmail.com>wrote:


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Rich Miller  
View profile  
 More options Jul 26 2012, 11:20 am
From: Rich Miller <richmiller...@gmail.com>
Date: Thu, 26 Jul 2012 08:20:45 -0700 (PDT)
Local: Thurs, Jul 26 2012 11:20 am
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

Andrew,

Thanks for the response.  I'll admit to being really new to all of this --
both OAuth2 and DNOA -- and I guess one thing that has me a bit confused at
this point regarding DNOA.  Could you explain in general terms what the
role of each of the server types is?  Is the use of the Authorization
server appropriate and the name of the endpoint wrong?  What function does
a Resource Server perform?  If the client has received an access token from
the Authorization server, wouldn't I simply need to validate the token when
the client requested a resource from my API?

Here is my web.config dotnetopenauth section.  Nothing really special here,
since I just did a copy and paste from the docs on the web.  The only
change is in the messaging element where I added the relaxSslRequirements
attribute and changed the strict attribute's value to false.  The latter
was just a guess on my part since there was really no place I could look
other than diving into the source to see the effect the values have.  The
relaxSslRequirements idea came from another post in the forums.

Thanks for your patience.

Rich

  <dotNetOpenAuth>
    <openid maxAuthenticationTime="0:05" cacheDiscovery="true">
      <relyingParty>
        <security
            requireSsl="false"
            minimumRequiredOpenIdVersion="V10"
            minimumHashBitLength="160"
            maximumHashBitLength="256"
            requireDirectedIdentity="false"
            requireAssociation="false"
            rejectUnsolicitedAssertions="false"
            rejectDelegatingIdentifiers="false"
            ignoreUnsignedExtensions="false"
            protectDownlevelReplayAttacks="true"
            privateSecretMaximumAge="07:00:00" />
        <behaviors>
          <!-- <add type="Fully.Qualified.ClassName, Assembly" /> -->
        </behaviors>
        <store type="Fully.Qualified.ClassName, Assembly" />
      </relyingParty>
      <provider>
        <security
            requireSsl="false"
            protectDownlevelReplayAttacks="true"

unsolicitedAssertionVerification="RequireSuccess|LogWarningOnFailure|NeverV erify"
            minimumHashBitLength="160"
            maximumHashBitLength="512">
          <associations>
            <add type="HMAC-SHA1" lifetime="14.00:00:00" />
            <add type="HMAC-SHA256" lifetime="14.00:00:00" />
          </associations>
        </security>
        <behaviors>
          <!-- <add type="Fully.Qualified.ClassName, Assembly" /> -->
        </behaviors>
        <!--<store type="Fully.Qualified.ClassName, Assembly" />-->
      </provider>
      <xriResolver enabled="true" proxy="xri.net" />
    </openid>
    <messaging clockSkew="00:10:00" lifetime="00:03:00" strict="false"
relaxSslRequirements="true">
      <untrustedWebRequest
          timeout="00:00:10"
          readWriteTimeout="00:00:01.500"
          maximumBytesToRead="1048576"
          maximumRedirections="10">
        <whitelistHosts>
          <!-- since this is a sample, and will often be used with
localhost -->
          <!-- <add name="localhost" /> -->
        </whitelistHosts>
        <whitelistHostsRegex>
          <!-- since this is a sample, and will often be used with
localhost -->
          <!-- <add name="\.owndomain\.com$" /> -->
        </whitelistHostsRegex>
        <blacklistHosts>
        </blacklistHosts>
        <blacklistHostsRegex>
        </blacklistHostsRegex>
      </untrustedWebRequest>
    </messaging>
  </dotNetOpenAuth>


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Rich Miller  
View profile  
 More options Jul 26 2012, 1:27 pm
From: Rich Miller <richmiller...@gmail.com>
Date: Thu, 26 Jul 2012 10:27:28 -0700 (PDT)
Local: Thurs, Jul 26 2012 1:27 pm
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

Andrew,

So I've found some other samples and I've been trying to hit the token
endpoint as suggested in your previous post.  My Controller code looks a
bit like this now, which is pretty much straight from the samples:

    Public Class OAuth2Controller
        Inherits System.Web.Mvc.Controller

        Private ReadOnly authServer As AuthorizationServer = New
AuthorizationServer(New RCCAuthorizationServer())

        Public Function Token() As ActionResult
            Return authServer.HandleTokenRequest(Request).AsActionResult()
        End Function

End Class

My RCCAuthorizationServer host implements the interface, but at this point
the interface implementation methods are just dummy methods with a lot of
breakpoints so I can see the sequence of calls that are being made when
HandleTokenRequest is called.  Unfortunately none of the breakpoints are
ever hit.  I am guessing this is because I need to tell the authorization
server somewhere what host to use, but I thought that might have happened
when I newed up the Authorization server with the new instance of the host
in the Private line above.

My web.config dotnetopenauth section looks like this now:

  <dotNetOpenAuth>
    <!-- Allow DotNetOpenAuth to publish usage statistics to library
authors to improve the library. -->
    <reporting enabled="true" />
    <oauth2>
      <authorizationServer>
      </authorizationServer>
    </oauth2>

    <!-- Relaxing SSL requirements is useful for simple samples, but NOT a
good idea in production. -->
    <messaging relaxSslRequirements="true">
      <untrustedWebRequest>
        <whitelistHosts>
          <!-- since this is a sample, and will often be used with
localhost -->
          <add name="localhost"/>
        </whitelistHosts>
      </untrustedWebRequest>
    </messaging>
  </dotNetOpenAuth>

I am assuming that I might need to specify something in the authorization
server element under the oauth2 element?  So far, I can't find any example
code where this element is not empty.

Probably sounds like I could use a good tutorial.  Maybe if this message
thread gets long enough and produces results we can turn it into one... :-)

Thanks again,

Rich


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Andrew Arnott  
View profile  
 More options Jul 26 2012, 9:34 pm
From: Andrew Arnott <andrewarn...@gmail.com>
Date: Thu, 26 Jul 2012 18:34:46 -0700
Local: Thurs, Jul 26 2012 9:34 pm
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

Hi Rich,

Your source code and web.config look good.  And the way you're plugging in
your RCCAuthorizationServer is good.  So if you're not getting any
breakpoint fired in your implementation, chances are DNOA is rejecting the
incoming request for some reason before it gets to where it needs to call
your code.  Have you tried activating logging
<http://tinyurl.com/dnoalogs>to see what's wrong?

--
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre

 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Andrew Arnott  
View profile  
 More options Jul 26 2012, 9:34 pm
From: Andrew Arnott <andrewarn...@gmail.com>
Date: Thu, 26 Jul 2012 18:34:47 -0700
Local: Thurs, Jul 26 2012 9:34 pm
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

Answers inline...

On Thursday, July 26, 2012, Rich Miller wrote:
> Andrew,

> Thanks for the response.  I'll admit to being really new to all of this --
> both OAuth2 and DNOA -- and I guess one thing that has me a bit confused at
> this point regarding DNOA.  Could you explain in general terms what the
> role of each of the server types is?

Authorization Server: the server that authenticates the user, asks the user
to authorize a client to access his/her data, and issues refresh and access
tokens.
Resource Server: the server that actually provides access to the protected
data.  This server *accepts* access tokens as authorization.  It does not
issue any tokens.

> Is the use of the Authorization server appropriate and the name of the
> endpoint wrong?

The URL itself isn't really that important, but seeing as an authorization
server has two endpoints, called the authorization endpoint and access
token endpoint, the fact that you were sending a message intended for the
access token endpoint to one named /Authorize was a clue that either you
named the URL in a confusing way, or you were calling the wrong one.

> What function does a Resource Server perform?

Answered above.

>  If the client has received an access token from the Authorization server,
> wouldn't I simply need to validate the token when the client requested a
> resource from my API?

Yes.  The resource server should new up a DNOA ResourceServer instance and
ask it to verify the access token.

--
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Rich Miller  
View profile  
 More options Jul 30 2012, 10:27 am
From: Rich Miller <richmiller...@gmail.com>
Date: Mon, 30 Jul 2012 07:27:45 -0700 (PDT)
Local: Mon, Jul 30 2012 10:27 am
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

Andrew -

Thanks for the reply and suggestion.  I attempted to activate logging using
the instructions provided at the link you included in your response.
 However, using the logging instructions on that page didn't produce a log
file at all.  Someone else had the same issue and reported it on the
comments on that page.  Is there something I am missing in my configuration
that might not be included on that page?  Do I have to add something in the
DNOA configuration section to make it write log entries?

Thanks,

Rich


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Rich Miller  
View profile  
 More options Jul 30 2012, 10:47 am
From: Rich Miller <richmiller...@gmail.com>
Date: Mon, 30 Jul 2012 07:47:36 -0700 (PDT)
Local: Mon, Jul 30 2012 10:47 am
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

Andrew,

I worked out the logging problem with the code on the instructions page.  I
was looking for the log entries in the file specified for the rolling log
file appender, but the root log4net element was putting log entries in the
tracefileappender.  Made the change and the logging worked.

Here is the log entry for the request I posted in my previous message.  It
seems to be saying that DNOA is having trouble identifying the appropriate
message type for the incoming request, but I'd appreciate any help
interpreting what it is trying to tell me:

2012-07-30 10:39:49,899 (GMT-4) [46] INFO  DotNetOpenAuth - DotNetOpenAuth,
Version=4.1.0.12182, Culture=neutral, PublicKeyToken=2780ccd10d57b246
(official)
2012-07-30 10:39:49,908 (GMT-4) [46] WARN  DotNetOpenAuth.Messaging -
Message type EndUserAuthorizationImplicitRequest has more than one message
part named response_type.  Inherited members will be hidden.
2012-07-30 10:41:12,781 (GMT-4) [59] INFO  DotNetOpenAuth.Messaging.Channel
- Scanning incoming request for messages:
http://localhost:61732/OAuth2/token
2012-07-30 10:41:12,782 (GMT-4) [59] DEBUG DotNetOpenAuth.Messaging.Channel
- Incoming HTTP request: POST http://localhost:61732/OAuth2/token
2012-07-30 10:41:12,790 (GMT-4) [59] DEBUG DotNetOpenAuth.Messaging - The
following required parameters were missing from the
DotNetOpenAuth.OAuth2.AuthServer.Messages.AccessTokenRefreshRequestAS
message: {refresh_token,

}

2012-07-30 10:41:12,792 (GMT-4) [59] DEBUG DotNetOpenAuth.Messaging - The
following required parameters were missing from the
DotNetOpenAuth.OAuth2.Messages.AccessTokenAuthorizationCodeRequestAS
message: {code,
}

2012-07-30 10:41:12,793 (GMT-4) [59] DEBUG DotNetOpenAuth.Messaging - The
following required parameters were missing from the
DotNetOpenAuth.OAuth2.Messages.EndUserAuthorizationRequest message:
{response_type,
}

2012-07-30 10:41:12,793 (GMT-4) [59] DEBUG DotNetOpenAuth.Messaging - The
following required parameters were missing from the
DotNetOpenAuth.OAuth2.Messages.EndUserAuthorizationImplicitRequest message:
{response_type,
}

2012-07-30 10:41:12,793 (GMT-4) [59] DEBUG DotNetOpenAuth.Messaging - The
following required parameters were missing from the
DotNetOpenAuth.OAuth2.Messages.EndUserAuthorizationFailedResponse message:
{error,
}

2012-07-30 10:41:12,795 (GMT-4) [59] WARN  DotNetOpenAuth.Messaging -
Multiple message types seemed to fit the incoming data:
{AccessTokenResourceOwnerPasswordCredentialsRequest (2.0),
AccessTokenClientCredentialsRequest (2.0),
}

2012-07-30 10:41:12,803 (GMT-4) [59] ERROR DotNetOpenAuth.Messaging -
Protocol error: This message can only be sent over HTTPS.
   at DotNetOpenAuth.Messaging.ErrorUtilities.VerifyProtocol(Boolean
condition, String unformattedMessage, Object[] args)
   at
DotNetOpenAuth.OAuth2.Messages.AccessTokenRequestBase.EnsureValidMessage()
   at
DotNetOpenAuth.OAuth2.Messages.MessageBase.DotNetOpenAuth.Messaging.IMessag e.EnsureValidMessage()
   at DotNetOpenAuth.Messaging.MessageSerializer.Deserialize(IDictionary`2
fields, MessageDictionary messageDictionary)
   at
DotNetOpenAuth.Messaging.Reflection.MessageDictionary.Deserialize(IDictiona ry`2
fields)
   at DotNetOpenAuth.Messaging.Channel.Receive(Dictionary`2 fields,
MessageReceivingEndpoint recipient)
   at DotNetOpenAuth.Messaging.Channel.ReadFromRequestCore(HttpRequestBase
request)
   at
DotNetOpenAuth.OAuth2.ChannelElements.OAuth2AuthorizationServerChannel.Read FromRequestCore(HttpRequestBase
request)
   at DotNetOpenAuth.Messaging.Channel.ReadFromRequest(HttpRequestBase
httpRequest)
   at
DotNetOpenAuth.Messaging.Channel.TryReadFromRequest[TRequest](HttpRequestBa se
httpRequest, TRequest& request)
   at
DotNetOpenAuth.OAuth2.AuthorizationServer.HandleTokenRequest(HttpRequestBas e
request)
   at TestDNOA.TestDNOA.OAuth2Controller.Token()
   at lambda_method(Closure , ControllerBase , Object[] )
   at System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase
controller, Object[] parameters)
   at System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext
controllerContext, IDictionary`2 parameters)
   at
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext
controllerContext, ActionDescriptor actionDescriptor, IDictionary`2
parameters)
   at
System.Web.Mvc.ControllerActionInvoker.<>c__DisplayClass15.<InvokeActionMet hodWithFilters>b__12()
   at
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilt er
filter, ActionExecutingContext preContext, Func`1 continuation)
   at
System.Web.Mvc.ControllerActionInvoker.<>c__DisplayClass15.<>c__DisplayClas s17.<InvokeActionMethodWithFilters>b__14()
   at
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodWithFilters(Contro llerContext
controllerContext, IList`1 filters, ActionDescriptor actionDescriptor,
IDictionary`2 parameters)
   at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext
controllerContext, String actionName)
   at System.Web.Mvc.Controller.ExecuteCore()
   at System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext)
   at
System.Web.Mvc.ControllerBase.System.Web.Mvc.IController.Execute(RequestCon text
requestContext)
   at
System.Web.Mvc.MvcHandler.<>c__DisplayClass6.<>c__DisplayClassb.<BeginProce ssRequest>b__5()
   at
System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass1.<MakeVoidDelegat e>b__0()
   at
System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass8`1.<BeginSynchron ous>b__7(IAsyncResult
_)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`1.End()
   at System.Web.Mvc.MvcHandler.<>c__DisplayClasse.<EndProcessRequest>b__d()
   at System.Web.Mvc.SecurityUtil.<GetCallInAppTrustThunk>b__0(Action f)
   at System.Web.Mvc.SecurityUtil.ProcessInApplicationTrust(Action action)
   at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult)
   at
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IA syncResult
result)
   at
System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplicat ion.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously)
   at
System.Web.HttpApplication.ApplicationStepManager.ResumeSteps(Exception
error)
   at
System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest (HttpContext
context, AsyncCallback cb, Object extraData)
   at System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)
   at System.Web.HttpRuntime.ProcessRequestNoDemand(HttpWorkerRequest wr)
   at System.Web.HttpRuntime.ProcessRequest(HttpWorkerRequest wr)
   at Microsoft.VisualStudio.WebHost.Request.Process()
   at Microsoft.VisualStudio.WebHost.Host.ProcessRequest(Connection conn)

2012-07-30 10:41:12,823 (GMT-4) [59] DEBUG DotNetOpenAuth.Messaging.Channel
- Preparing to send AccessTokenFailedResponse (2.0) message.
2012-07-30 10:41:12,824 (GMT-4) [59] DEBUG
DotNetOpenAuth.Messaging.Bindings - Binding element
DotNetOpenAuth.OAuth2.ChannelElements.MessageValidationBindingElement did
not apply to message.
2012-07-30 10:41:12,824 (GMT-4) [59] DEBUG
DotNetOpenAuth.Messaging.Bindings - Binding element
DotNetOpenAuth.OAuth2.ChannelElements.TokenCodeSerializationBindingElement
did not apply to message.
2012-07-30 10:41:12,827 (GMT-4) [59] INFO  DotNetOpenAuth.Messaging.Channel
- Prepared outgoing AccessTokenFailedResponse (2.0) message for <response>:
error: invalid_request

2012-07-30 10:41:12,829 (GMT-4) [59] DEBUG DotNetOpenAuth.Messaging.Channel
- Sending message: AccessTokenFailedResponse

Thanks again,

Rich

...

read more »


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Aleksander Heintz  
View profile  
 More options Jul 30 2012, 11:42 am
From: Aleksander Heintz <alxa...@alxandr.me>
Date: Mon, 30 Jul 2012 08:42:05 -0700 (PDT)
Local: Mon, Jul 30 2012 11:42 am
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

Can I just state here (mildly offtopic) that the logging-guide is hugely
confusing for peoples who haven't used log4net before, and simply copy
pastes the logging code. When you see code like that given to you telling
you that "this will enable logging" you sort of just expect it to work. The
code should be changed so that the file-appender is default, not the
trace-thingy (which I still have no idea what is).


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Rich Miller  
View profile  
 More options Jul 30 2012, 12:05 pm
From: Rich Miller <richmiller...@gmail.com>
Date: Mon, 30 Jul 2012 09:05:14 -0700 (PDT)
Local: Mon, Jul 30 2012 12:05 pm
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

I'll second that motion!  If I had not been using log4net in some of my
current projects, I would not have noticed the config issue.  And it still
escaped my notice the first time through :-)


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Rich Miller  
View profile  
 More options Jul 30 2012, 1:17 pm
From: Rich Miller <richmiller...@gmail.com>
Date: Mon, 30 Jul 2012 10:17:49 -0700 (PDT)
Local: Mon, Jul 30 2012 1:17 pm
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

Andrew,

Looking at the log, the other error that is popping up is " Protocol error:
This message can only be sent over HTTPS. "

I tried to set the relaxSslRequirements option in my web.config to true,
but it seems to be having no effect.  I put code in my controller like this
(which I think I should be able to do):

        Public Function Token() As ActionResult
            Dim msgConf As MessagingElement = MessagingElement.Configuration
            Return authServer.HandleTokenRequest(Request).AsActionResult()
        End Function

and examing the RelaxSslRequirements property on the msgConf always seems
to return false.  Therefore, it looks like
the ErrorUtilities.VerifyProtocol function call on AccessTokenRequestBase
is always failing, which is why my request message is not being accepted
and none of my authorization server host methods are being called??  

This would seem to be a simply fix to the configuration section handler,
but I'm having a hard time seeing anything wrong with it, other than
perhaps it is an attribute as opposed to an element??

/// <summary>
/// The name of the attribute that indicates whether to disable SSL
requirements across the library.
/// </summary>
private const string RelaxSslRequirementsConfigName =
"relaxSslRequirements";

/// <summary>
/// Gets or sets a value indicating whether SSL requirements within the
library are disabled/relaxed.
/// Use for TESTING ONLY.
/// </summary>
[ConfigurationProperty(RelaxSslRequirementsConfigName, DefaultValue =
false)]
internal bool RelaxSslRequirements {
get { return (bool)this[RelaxSslRequirementsConfigName]; }
set { this[RelaxSslRequirementsConfigName] = value; }

}

Let me know if you concur and what the appropriate fix would be.

Thanks,

Rich

...

read more »


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Rich Miller  
View profile  
 More options Jul 30 2012, 4:09 pm
From: Rich Miller <richmiller...@gmail.com>
Date: Mon, 30 Jul 2012 13:09:39 -0700 (PDT)
Local: Mon, Jul 30 2012 4:09 pm
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

Aleksander,

FYI, the trace thingy you were trying to find appears to be a custom class
in the DNOA samples that results in log messages being accumulated in
memory and accessible from a global application property called
LogMessages.  Got curious myself and found it in the sample code...

Rich


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Andrew Arnott  
View profile  
 More options Jul 31 2012, 3:01 pm
From: Andrew Arnott <andrewarn...@gmail.com>
Date: Tue, 31 Jul 2012 12:01:15 -0700
Local: Tues, Jul 31 2012 3:01 pm
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

Considering that the samples work with relaxSslRequirements="true" with
HTTPS, I suspect there's something wrong with your .config file rather than
a bug in the library.  Maybe double-check that you have the
<configSections> defined appropriately according to the samples? (or if you
used NuGet that should do it for you).

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre

On Mon, Jul 30, 2012 at 10:17 AM, Rich Miller <richmiller...@gmail.com>wrote:

...

read more »


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Andrew Arnott  
View profile  
 More options Jul 31 2012, 3:13 pm
From: Andrew Arnott <andrewarn...@gmail.com>
Date: Tue, 31 Jul 2012 12:13:01 -0700
Local: Tues, Jul 31 2012 3:13 pm
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

This is good feedback.  I've fixed the log4net documentation.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre

On Mon, Jul 30, 2012 at 9:05 AM, Rich Miller <richmiller...@gmail.com>wrote:


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Rich Miller  
View profile  
 More options Aug 1 2012, 10:58 am
From: Rich Miller <richmiller...@gmail.com>
Date: Wed, 1 Aug 2012 07:58:43 -0700 (PDT)
Local: Wed, Aug 1 2012 10:58 am
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

Andrew -

Here is the full content of my web.config.  I'm not sure there is anything
else here that could be wrong.  Am I referring to the appropriate section
handler for DNOA?  I'm running this under the built-in development server
from VS2010 - that would not create a problem would it?

<?xml version="1.0"?>
<!--
  For more information on how to configure your ASP.NET application, please
visit
  http://go.microsoft.com/fwlink/?LinkId=152368
  -->

<configuration>
  <configSections>
    <section name="uri" type="System.Configuration.UriSection,
            System, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089" />
    <section name="dotNetOpenAuth"
type="DotNetOpenAuth.Configuration.DotNetOpenAuthSection"
        requirePermission="false" allowLocation="true"/>
    <section name="log4net"
type="log4net.Config.Log4NetConfigurationSectionHandler"
requirePermission="false" />
  </configSections>

  <!-- The uri section is necessary to turn on .NET 3.5 support for IDN
(international domain names),
         which is necessary for OpenID urls with unicode characters in the
domain/host name.
         It is also required to put the Uri class into RFC 3986 escaping
mode, which OpenID and OAuth require. -->
  <uri>
    <idn enabled="All"/>
    <iriParsing enabled="true"/>
  </uri>
  <appSettings>
    <add key="webpages:Version" value="1.0.0.0"/>
    <add key="ClientValidationEnabled" value="true"/>
    <add key="UnobtrusiveJavaScriptEnabled" value="true"/>
  </appSettings>

  <system.web>
    <compilation debug="true" targetFramework="4.0">
      <assemblies>
        <add assembly="System.Web.Abstractions, Version=4.0.0.0,
Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
        <add assembly="System.Web.Helpers, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
        <add assembly="System.Web.Routing, Version=4.0.0.0,
Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
        <add assembly="System.Web.Mvc, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31BF3856AD364E35" />
        <add assembly="System.Web.WebPages, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
      </assemblies>
    </compilation>

    <authentication mode="Forms">
      <forms loginUrl="~/Account/LogOn" timeout="2880" />
    </authentication>

    <pages>
      <namespaces>
        <add namespace="System.Web.Helpers" />
        <add namespace="System.Web.Mvc" />
        <add namespace="System.Web.Mvc.Ajax" />
        <add namespace="System.Web.Mvc.Html" />
        <add namespace="System.Web.Routing" />
        <add namespace="System.Web.WebPages"/>
      </namespaces>
    </pages>
  </system.web>

  <system.webServer>
    <validation validateIntegratedModeConfiguration="false"/>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>

  <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="System.Web.Mvc"
publicKeyToken="31bf3856ad364e35" />
        <bindingRedirect oldVersion="1.0.0.0-2.0.0.0" newVersion="3.0.0.0"
/>
      </dependentAssembly>
    </assemblyBinding>
  </runtime>
  <!-- this is an optional configuration section where aspects of
dotnetopenauth can be customized -->
  <dotNetOpenAuth>
    <!-- Allow DotNetOpenAuth to publish usage statistics to library
authors to improve the library. -->
    <reporting enabled="true" />
    <oauth2>
      <authorizationServer>
      </authorizationServer>
    </oauth2>

    <!-- Relaxing SSL requirements is useful for simple samples, but NOT a
good idea in production. -->
    <messaging relaxSslRequirements="true">
      <untrustedWebRequest>
        <whitelistHosts>
          <!-- since this is a sample, and will often be used with
localhost -->
          <add name="localhost"/>
        </whitelistHosts>
      </untrustedWebRequest>
    </messaging>
  </dotNetOpenAuth>

  <log4net>
    <appender name="RollingFileAppender"
type="log4net.Appender.RollingFileAppender">
      <file value="c:\logs\OAuth2.log" />
      <appendToFile value="true" />
      <rollingStyle value="Size" />
      <maxSizeRollBackups value="10" />
      <maximumFileSize value="100KB" />
      <staticLogFileName value="true" />
      <layout type="log4net.Layout.PatternLayout">
        <conversionPattern value="%date (GMT%date{%z}) [%thread] %-5level
%logger - %message%newline" />
      </layout>
    </appender>
    <appender name="TracePageAppender"
type="OpenIdRelyingPartyWebForms.Code.TracePageAppender,
OpenIdRelyingPartyWebForms">
      <layout type="log4net.Layout.PatternLayout">
        <conversionPattern value="%date (GMT%date{%z}) [%thread] %-5level
%logger - %message%newline" />
      </layout>
    </appender>
    <!-- Setup the root category, add the appenders and set the default
level -->
    <root>
      <level value="INFO" />
      <appender-ref ref="RollingFileAppender" />
      <!--<appender-ref ref="TracePageAppender" />-->
    </root>
    <!-- Specify the level for some specific categories -->
    <logger name="DotNetOpenAuth">
      <level value="ALL" />
    </logger>
  </log4net>

</configuration>

Thanks,

Rich

...

read more »


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Andrew Arnott  
View profile  
 More options Aug 1 2012, 8:08 pm
From: Andrew Arnott <andrewarn...@gmail.com>
Date: Wed, 1 Aug 2012 17:08:07 -0700
Local: Wed, Aug 1 2012 8:08 pm
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

Rich, your section handler doesn't include assembly names.  If you're using
DotNetOpenAuth v4.x, it's pretty out of date.  Here's what you need,
assuming you're using the NuGet (non-unified) assemblies:

<sectionGroup name="dotNetOpenAuth"
type="DotNetOpenAuth.Configuration.DotNetOpenAuthSection,
DotNetOpenAuth.Core">
<section name="openid" type="DotNetOpenAuth.Configuration.OpenIdElement,
DotNetOpenAuth.OpenId" requirePermission="false" allowLocation="true" />
<section name="oauth" type="DotNetOpenAuth.Configuration.OAuthElement,
DotNetOpenAuth.OAuth" requirePermission="false" allowLocation="true" />
<section name="messaging"
type="DotNetOpenAuth.Configuration.MessagingElement, DotNetOpenAuth.Core"
requirePermission="false" allowLocation="true" />
<section name="reporting"
type="DotNetOpenAuth.Configuration.ReportingElement, DotNetOpenAuth.Core"
requirePermission="false" allowLocation="true" />
</sectionGroup>

If you *are *using the unified dotnetopenauth.dll assembly, just change all
the assembly names to match in the above snippet.

...

read more »


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Rich Miller  
View profile  
 More options Aug 2 2012, 10:12 am
From: Rich Miller <richmiller...@gmail.com>
Date: Thu, 2 Aug 2012 07:12:16 -0700 (PDT)
Local: Thurs, Aug 2 2012 10:12 am
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

Andrew,

Thanks for the updated config code.  I inserted this into my web.config and
found that the oauth2 section was unknown.  I went back to some sample code
from Dave Christiansen and added his config info for the oauth2 section
group, and the problem went away. My request message was finally received
and accepted, and my authorization server host methods were called.

So far so good.  Baby steps. :-)

Now on to understanding why each of my authorization server host functions
is called and what each should do when called.

Rich

...

read more »


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Andrew Arnott  
View profile  
 More options Aug 2 2012, 10:49 am
From: Andrew Arnott <andrewarn...@gmail.com>
Date: Thu, 2 Aug 2012 07:49:58 -0700
Local: Thurs, Aug 2 2012 10:49 am
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

Great.

Hopefully this will help you on your next steps:
http://docs.dotnetopenauth.net/v4.1/html/AllMembers_T_DotNetOpenAuth_...

--
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre

 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Rich Miller  
View profile  
 More options Aug 2 2012, 11:58 am
From: Rich Miller <richmiller...@gmail.com>
Date: Thu, 2 Aug 2012 08:58:45 -0700 (PDT)
Local: Thurs, Aug 2 2012 11:58 am
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

Thanks for the link to the documentation, which is extremely helpful.  What
I also really need to do is gain an understanding of the flow of function
calls in the authorization server and the when and why each function would
be called.  For example, when would IsAuthorizationValid ever be called?  I
thought that once the Authorization server did its job, it would be out of
the way and would turn things over to a ResourceServer to check the access
token and serve up resources to authorized clients.  Is there a non-WCF
sample you could point me to that demonstrates how the resource server and
authorization server work together to do that?

Also, the docs for TryAuthorizeResourceOwnerCredentialGrant say that I
should "record an authorization entry such that subsequent calls to
IsAuthorizationValid(IAuthorizationDescription) would return true."  Since
none of the sample code I have implements this method -- they all throw a
NotImplementedException -- I am assuming that I need to record the access
token and the client information in a database somewhere so that I can look
it back up in IsAuthorizationValid to confirm that the access token is
legit and belongs to the client that sent it?

There also seems to be some cryptographic signing of the access tokens
going on in the methods that create them.  Are these methods called
automatically?  Is DNOA expecting a specific crypto provider to be used?
 Do I need crypto at all, since the OAuth 2 spec seems to require TLS as
opposed to signed tokens.

Thanks,

Rich


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Andrew Arnott  
View profile  
 More options Aug 24 2012, 10:05 am
From: Andrew Arnott <andrewarn...@gmail.com>
Date: Fri, 24 Aug 2012 07:05:52 -0700
Local: Fri, Aug 24 2012 10:05 am
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

Hi Rich,

Sorry for taking so long to respond.  Some responses inline...

On Thu, Aug 2, 2012 at 8:58 AM, Rich Miller <richmiller...@gmail.com> wrote:
> Thanks for the link to the documentation, which is extremely helpful.
>  What I also really need to do is gain an understanding of the flow of
> function calls in the authorization server and the when and why each
> function would be called.  For example, when would IsAuthorizationValid
> ever be called?

In response to the resource owner password grant type, the client may get
both a refresh token and an access token.  When the access token expires,
the client can request a new access token using their refresh token.  It is
at this point of requesting a new one that the IsAuthorizationValid is
called to verify that the user has not revoked access to that client.

> I thought that once the Authorization server did its job, it would be out
> of the way and would turn things over to a ResourceServer to check the
> access token and serve up resources to authorized clients.

That's correct.

> Is there a non-WCF sample you could point me to that demonstrates how the
> resource server and authorization server work together to do that?

Yes: David's is here:
https://github.com/DavidChristiansen/DotNetOpenAuth.WebAPI.40

> Also, the docs for TryAuthorizeResourceOwnerCredentialGrant say that I
> should "record an authorization entry such that subsequent calls to
> IsAuthorizationValid(IAuthorizationDescription) would return true."  Since
> none of the sample code I have implements this method -- they all throw a
> NotImplementedException -- I am assuming that I need to record the access
> token and the client information in a database somewhere so that I can look
> it back up in IsAuthorizationValid to confirm that the access token is
> legit and belongs to the client that sent it?

Correct.

> There also seems to be some cryptographic signing of the access tokens
> going on in the methods that create them.  Are these methods called
> automatically?  Is DNOA expecting a specific crypto provider to be used?
>  Do I need crypto at all, since the OAuth 2 spec seems to require TLS as
> opposed to signed tokens.

Your IAuthorizationServerHost needn't do any crypto itself.  It merely
exposes RSACryptoServiceProviders and DNOA does the crypto.
The crypto that OAuth 2 does away with in favor of TLS is the crypto that
is negotiated between auth server and client, and between client and
resource server.  Crypto is still applicable and frequently used between
auth server and resource server to allow the resource server to verify the
validity of the access token (since it goes through the untrusted client
third party).  DNOA also encrypts the access token so that the auth server
can embed confidential information intended for the resource server without
the client seeing it.

The OAuth 2 spec could be implemented without any crypto (besides TLS) by
having the resource server make a callback to the auth server for every
incoming call to validate the access token.  Most folks find that an
undesirable perf hit and load on the servers to double every incoming
request and take a database query hit at the auth server besides.  That's
why crypto in the bearer access token itself is still popular.


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Rich Miller  
View profile  
 More options Aug 24 2012, 4:25 pm
From: Rich Miller <richmiller...@gmail.com>
Date: Fri, 24 Aug 2012 13:25:54 -0700 (PDT)
Local: Fri, Aug 24 2012 4:25 pm
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

Andrew,

Thanks for the reply.  No problem about the delay -- I've managed to keep
busy. :-)

Based on your reply and a read of the source code, I think some of this is
starting to sink in.  I understand now based on the source and your reply
to another post that the access token you generate is not just a random
unique token but an encrypted/serialized collection of information about
the sender, including the client id, the username and the access token
expiration date and time.  In DNOA the authorization server is used to read
the token request, authorize the request and generate and send the access
token response, which I assume you send in the appropriate json format
according to the spec.  Do I have any way of manually sending the token
response rather than using the method call to do it for me?

I looked at David Christiansen's example for Web API and saw that the
ResourceServer is used to decrypt/deserialize the access token received in
the resource request, validate the contents and store the user information
in the Principal so that it can be accessed by the controller's action
method code.  I was a little surprised to see that there was no check by
the resource server against some sort of token store -- probably like the
one or the same one that would be used to reauthorize the token in a
refresh -- to verify that the access token had actually been granted to the
client.  I guess the assumption is that if the client has the token and it
can be successfully decrypted/deserialized that it must have been granted
by the authorization server.  Would it not be advisable to perform such a
check?  That would also allow me to provide sliding expiration for my
access tokens if the tokens were in some sort of store that included an
expiration date that could be updated based on the last access.

Also, is it possible to add custom data to the access token without
altering the core source code of DNOA?  It would be useful to store a small
amount of other info about the user or client in the token if the resource
server is not looking up some corresponding token information in a store on
each request.

Thanks again for all of the clarifications you have provided.  It has
filled in a large number of gaps for me.

Rich

One of the checks being done is to compare the current UTC date against the
token's issue date and expiration time to


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Øyvind Sean Kinsey  
View profile  
 More options Aug 24 2012, 4:43 pm
From: Øyvind Sean Kinsey <oyv...@kinsey.no>
Date: Fri, 24 Aug 2012 13:43:16 -0700
Local: Fri, Aug 24 2012 4:43 pm
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

Hey Rich - using self-describing tokens vs backchannel verification has
been discussed multiple times - you might find the answer you are looking
for in one of the previous threads:
https://groups.google.com/forum/#!searchin/dotnetopenid/backchannel

Øyvind Sean Kinsey
San Francisco, CA

On Fri, Aug 24, 2012 at 1:25 PM, Rich Miller <richmiller...@gmail.com>wrote:


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Rich Miller  
View profile  
 More options Aug 24 2012, 4:49 pm
From: Rich Miller <richmiller...@gmail.com>
Date: Fri, 24 Aug 2012 13:49:46 -0700 (PDT)
Local: Fri, Aug 24 2012 4:49 pm
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

Thanks.  So that's referred to as a backchannel verification?  I think I
saw that term in some posts.  I will take a look at the threads you
suggested.

Rich


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Andrew Arnott  
View profile  
 More options Aug 24 2012, 10:53 pm
From: Andrew Arnott <andrewarn...@gmail.com>
Date: Fri, 24 Aug 2012 19:53:49 -0700
Local: Fri, Aug 24 2012 10:53 pm
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

On Fri, Aug 24, 2012 at 1:25 PM, Rich Miller <richmiller...@gmail.com>wrote:

> Based on your reply and a read of the source code, I think some of this is
> starting to sink in.  I understand now based on the source and your reply
> to another post that the access token you generate is not just a random
> unique token but an encrypted/serialized collection of information about
> the sender, including the client id, the username and the access token
> expiration date and time.  In DNOA the authorization server is used to read
> the token request, authorize the request and generate and send the access
> token response, which I assume you send in the appropriate json format
> according to the spec.  Do I have any way of manually sending the token
> response rather than using the method call to do it for me?

No, DNOA does not use a JSON format for its access tokens. The OAuth 2 spec
does not describe the access token format in any way.  There is a
collection of specs around "JWT"s that do describe a possible format for
access tokens, but the specs are so difficult and costly (in dev time) to
comply with, and so little demand for that format from DNOA users, that
DNOA uses a much simpler format of its own.  Using a proprietary format
turns out to not be any problem at all -- as long as DNOA is at both the
authorization server and resource server roles.  The client end is
inconsequential.

As for whether you can construct an access token yourself, *maybe*.  I
don't recall for sure.  What is your scenario? (i.e. why wouldn't you want
DNOA to do it for you?)

> I looked at David Christiansen's example for Web API and saw that the
> ResourceServer is used to decrypt/deserialize the access token received in
> the resource request, validate the contents and store the user information
> in the Principal so that it can be accessed by the controller's action
> method code.  I was a little surprised to see that there was no check by
> the resource server against some sort of token store -- probably like the
> one or the same one that would be used to reauthorize the token in a
> refresh -- to verify that the access token had actually been granted to the
> client.  I guess the assumption is that if the client has the token and it
> can be successfully decrypted/deserialized that it must have been granted
> by the authorization server.

It's not just decrypted.  It has a signature that is verified, which
verifies to the resource server that this is a legit access token from the
authorization server.

> Would it not be advisable to perform such a check?

Absolutely. But signature verification is sufficient to confirm the token's
validity, unless your requirements mandate a live check that the
authorization hasn't been revoked. For most purposes, an access token with
a short lifetime (say, 2-5 minutes) will shut a client down soon enough
after revocation to satisfy security requirements.  This avoids the tax of
the extra HTTP call from resource server to the auth server and a DB lookup.

That would also allow me to provide sliding expiration for my access tokens

> if the tokens were in some sort of store that included an expiration date
> that could be updated based on the last access.

Yes, a backchannel would be the only way to provide a sliding expiration.
 But IMO a sliding expiration would be redundant with the purpose of
refresh tokens.  I advise against reinventing this and sticking with the
OAuth 2 spec, which has a fixed lifetime (or no set lifetime at all) for
access tokens.

> Also, is it possible to add custom data to the access token without
> altering the core source code of DNOA?  It would be useful to store a small
> amount of other info about the user or client in the token if the resource
> server is not looking up some corresponding token information in a store on
> each request.

Yes, we've had this request before.  In
IAuthorizationServerHost.CreateAccessToken, you create an
AuthorizationServerAccessToken, which has an ExtraData dictionary in it.
 You can fill whatever you want in this dictionary to be received by the
resource server.

 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Rich Miller  
View profile  
 More options Aug 27 2012, 11:11 am
From: Rich Miller <richmiller...@gmail.com>
Date: Mon, 27 Aug 2012 08:11:40 -0700 (PDT)
Local: Mon, Aug 27 2012 11:11 am
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

Andrew,

I don't think I stated my first question clearly enough.  I was referring
to the access token *response*, not the access token itself.  According to
the OAuth 2 spec, the authorization server typically sends back the access
token in an OAuth 2.0 access token response, like so:

    HTTP/1.1 200 OK
    Content-Type: application/json;charset=UTF-8
    Cache-Control: no-store
    Pragma: no-cache

    {
        "access_token":"mF_9.B5f-4.1JqM",
        "token_type":"Bearer",
        "expires_in":3600,
        "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
    }

There is a method in DNOA used in the MVC controller samples for the
authorization server that sends the response back from the token request
like this:

    return
this.authorizationServer.HandleTokenRequest(this.Request).AsActionResult();

Since I am using Web API to handle the token request, I wanted to
understand if there is a method in DNOA to return the access token as an
HttpResponseMessage with the format above or if I need to model an object
and return it on my own.  My assumption was that *AsActionResult *was
returning the data as above.

Thanks for the rest of the info.  Very helpful.

Rich


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Brad Laney  
View profile   Translate to Translated (View Original)
 More options Aug 27 2012, 11:43 am
From: Brad Laney <brad.j.la...@gmail.com>
Date: Mon, 27 Aug 2012 10:43:19 -0500
Local: Mon, Aug 27 2012 11:43 am
Subject: Re: [dotnetopenauth] DNOA Using OAuth2 to Implement Resource Owner Password Flow?
Print | Individual message | Show original | Report this message | Find messages by this author

Hey,

I'm in the same boat. Its not built in to dnoa, however, you web api is a
mvc4 project. You can easily run it as MVC for the with server and web api
as the resource server.

Since dnoa works in a distributed environment, this method works great.
Trick is to only consider your web api as the resource serer only.
On Aug 27, 2012 10:11 AM, "Rich Miller" <richmiller...@gmail.com> wrote:


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Messages 1 - 25 of 34   Newer >
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google