Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
DotNetOpenAuth
Home
+ new post
About this group
Join this group
How to get user-name in CreateAccessToken
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   11 messages - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Fred  
View profile  
 More options Jul 27 2012, 1:48 pm
From: Fred <manfred.ste...@gmx.net>
Date: Fri, 27 Jul 2012 10:48:30 -0700 (PDT)
Local: Fri, Jul 27 2012 1:48 pm
Subject: How to get user-name in CreateAccessToken
Print | Individual message | Show original | Report this message | Find messages by this author

Hi,

when I use ExchangeUserCredentialForToken on the client, to obtain a token,
DNOA calls
IAuthorizationServerHost.TryAuthorizeResourceOwnerCredentialGrant on the
auth-server. I use this method, to find out, whether the username and the
Password are correct and to return the "canonical" user-Name.

Exactly this user-Name is what I need within my implementation of
IAuthorizationServerHost.CreateAccessToken, which is also called by DNOA
after that. I need it, because, I want to set extra-data this user.

What is the supposed way, to have access to the user-Name from within this
method?

Shell I set the CurrentPrincipal within
TryAuthorizeResourceOwnerCredentialGrant  or shell I just put the user-name
into a member-variable?

Wishes,
Fred


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Andrew Arnott  
View profile  
 More options Jul 28 2012, 10:00 am
From: Andrew Arnott <andrewarn...@gmail.com>
Date: Sat, 28 Jul 2012 07:00:47 -0700
Local: Sat, Jul 28 2012 10:00 am
Subject: Re: [dotnetopenauth] How to get user-name in CreateAccessToken
Print | Individual message | Show original | Report this message | Find messages by this author

On Fri, Jul 27, 2012 at 10:48 AM, Fred <manfred.ste...@gmx.net> wrote:
> Exactly this user-Name is what I need within my implementation of
> IAuthorizationServerHost.CreateAccessToken, which is also called by DNOA
> after that. I need it, because, I want to set extra-data this user.

Setting extra data in the access token will *not* be effective if you want
the client to be able to read it.

> What is the supposed way, to have access to the user-Name from within this
> method?

I'm a little surprised in retrospect (although maybe there was a reason for
it) to see that CreateAccessToken doesn't have access to the username here,
but you're right.  Let's address that if you still want this after this
reply.

> Shell I set the CurrentPrincipal within
> TryAuthorizeResourceOwnerCredentialGrant  or shell I just put the user-name
> into a member-variable?

No, and no.  Setting CurrentPrincipal would fool your web app into
believing the client *was* the user, which would circumvent all OAuth 2
scoping and open you up to security holes.  Setting it in a member variable
would not work if you had even just two people authorizing concurrently.

Finally, it sounds like you're trying to misuse OAuth 2 as an
authentication protocol.  OAuth 2 authorization servers should *not* be
used to tell the client the username of the user.  If you want to
authenticate the user please use OpenID.
Alternatively, the not-recommmended way to do this with OAuth 2 (ala
Facebook) is to return the username that authorized the access token from
the *resource server* rather than directly from the authorization server
with the access token response.  So after the client gets the access token,
it calls some documented URL on the resource server to (for example) get
JSON back with the username *and the client_id that was issued the access
token*.  The client must also check that the response's client_id matches
its own client_id (if you are in fact misusing the protocol for
authentication) to avoid a very common security exploit when using OAuth 2
for authentication.

I hope this helps.


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Fred  
View profile  
 More options Jul 28 2012, 1:41 pm
From: Fred <manfred.ste...@gmx.net>
Date: Sat, 28 Jul 2012 10:41:28 -0700 (PDT)
Local: Sat, Jul 28 2012 1:41 pm
Subject: Re: [dotnetopenauth] How to get user-name in CreateAccessToken
Print | Individual message | Show original | Report this message | Find messages by this author

Hi Andrew,
thanks for your reply. The extra-data is for the ressource-server. For
instance, the token could get the scope *http://whatever/movies*<http://whatever/movies>and the extra-data-entry: age=14. This could tell the ressource-server to
just display a specific sub-set of the movies.

>> Alternatively, the not-recommmended way to do this with OAuth 2 (ala

Facebook) is to return the
>> username that authorized the access token from the *resource server [...]

*

Google uses this solution too and it seems, that this solution is pretty
close to the current proposal of OpenId Connect.
Does that mean, that OpenId Connect shows, how to mis-use OAuth2 for
Authorization the right way?

I would be very interested in your opinion towards this ...

Wishes,
Fred


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Andrew Arnott  
View profile  
 More options Jul 29 2012, 6:32 pm
From: Andrew Arnott <andrewarn...@gmail.com>
Date: Sun, 29 Jul 2012 15:32:23 -0700
Local: Sun, Jul 29 2012 6:32 pm
Subject: Re: [dotnetopenauth] How to get user-name in CreateAccessToken
Print | Individual message | Show original | Report this message | Find messages by this author

On Sat, Jul 28, 2012 at 10:41 AM, Fred <manfred.ste...@gmx.net> wrote:
> Hi Andrew,
> thanks for your reply. The extra-data is for the ressource-server. For
> instance, the token could get the scope *http://whatever/movies*<http://whatever/movies>and the extra-data-entry: age=14. This could tell the ressource-server to
> just display a specific sub-set of the movies.

Perfect.  Then yes, setting ExtraData in the access token is the right way
to go.

> >> Alternatively, the not-recommmended way to do this with OAuth 2 (ala
> Facebook) is to return the
> >> username that authorized the access token from the *resource server
> [...]*

> Google uses this solution too and it seems, that this solution is pretty
> close to the current proposal of OpenId Connect.
> Does that mean, that OpenId Connect shows, how to mis-use OAuth2 for
> Authorization the right way?

Sort of ironic, but yes.  OpenID Connect builds on top of OAuth 2 in such a
way as to maintain the security of using it for an authentication protocol.

 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Manfred Steyer  
View profile  
 More options Jul 29 2012, 7:13 pm
From: "Manfred Steyer" <manfred.ste...@gmx.net>
Date: Mon, 30 Jul 2012 01:13:44 +0200
Local: Sun, Jul 29 2012 7:13 pm
Subject: AW: [dotnetopenauth] How to get user-name in CreateAccessToken
Print | Individual message | Show original | Report this message | Find messages by this author

Hi Andrew,

>> Perfect.  Then yes, setting ExtraData in the access token is the right

way to go.  

thanks. But that leads to the original question - How to get access to the
user-name within CreateAccessToken?

Wishes,

Fred

Von: dotnetopenid@googlegroups.com [mailto:dotnetopenid@googlegroups.com] Im
Auftrag von Andrew Arnott
Gesendet: Montag, 30. Juli 2012 00:32
An: dotnetopenid@googlegroups.com
Betreff: Re: [dotnetopenauth] How to get user-name in CreateAccessToken

On Sat, Jul 28, 2012 at 10:41 AM, Fred <manfred.ste...@gmx.net> wrote:

Hi Andrew,

thanks for your reply. The extra-data is for the ressource-server. For
instance, the token could get the scope  <http://whatever/movies>
http://whatever/movies and the extra-data-entry: age=14. This could tell the
ressource-server to just display a specific sub-set of the movies.

Perfect.  Then yes, setting ExtraData in the access token is the right way
to go.  

>> Alternatively, the not-recommmended way to do this with OAuth 2 (ala

Facebook) is to return the

>> username that authorized the access token from the resource server [...]

Google uses this solution too and it seems, that this solution is pretty
close to the current proposal of OpenId Connect.

Does that mean, that OpenId Connect shows, how to mis-use OAuth2 for
Authorization the right way?

Sort of ironic, but yes.  OpenID Connect builds on top of OAuth 2 in such a
way as to maintain the security of using it for an authentication protocol.

--
You received this message because you are subscribed to the Google Groups
"DotNetOpenAuth" group.
To post to this group, send email to  <mailto:dotnetopenid@googlegroups.com>
dotnetopenid@googlegroups.com.
To unsubscribe from this group, send email to
<mailto:dotnetopenid+unsubscribe@googlegroups.com>
dotnetopenid+unsubscribe@googlegroups.com.
For more options, visit this group at
<http://groups.google.com/group/dotnetopenid?hl=en>
http://groups.google.com/group/dotnetopenid?hl=en.


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Andrew Arnott  
View profile  
 More options Jul 29 2012, 7:19 pm
From: Andrew Arnott <andrewarn...@gmail.com>
Date: Sun, 29 Jul 2012 16:19:29 -0700
Local: Sun, Jul 29 2012 7:19 pm
Subject: Re: [dotnetopenauth] How to get user-name in CreateAccessToken
Print | Individual message | Show original | Report this message | Find messages by this author

I guess file a ticket for that one.

http://bit.ly/dnoawish
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre

On Sun, Jul 29, 2012 at 4:13 PM, Manfred Steyer <manfred.ste...@gmx.net>wrote:


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
lawst  
View profile  
 More options Oct 19 2012, 6:08 am
From: lawst <stephen....@electrum.co.uk>
Date: Fri, 19 Oct 2012 03:08:12 -0700 (PDT)
Local: Fri, Oct 19 2012 6:08 am
Subject: Re: [dotnetopenauth] How to get user-name in CreateAccessToken
Print | Individual message | Show original | Report this message | Find messages by this author

I also require access to the username in the CreateAccessToken method
however I can't find an open ticket - can someone please advise what the
current status of this is?

thanks


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Andrew Arnott  
View profile  
 More options Oct 19 2012, 10:25 am
From: Andrew Arnott <andrewarn...@gmail.com>
Date: Fri, 19 Oct 2012 07:25:32 -0700
Local: Fri, Oct 19 2012 10:25 am
Subject: Re: [dotnetopenauth] How to get user-name in CreateAccessToken
Print | Individual message | Show original | Report this message | Find messages by this author

Good call.  It looks like this
ticket<https://github.com/DotNetOpenAuth/DotNetOpenAuth/issues/138>might
have been meant to track it, but it was resolved another way. Please
file another.

--
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre

 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
lawst  
View profile  
 More options Oct 23 2012, 10:56 am
From: lawst <stephen....@electrum.co.uk>
Date: Tue, 23 Oct 2012 07:55:59 -0700 (PDT)
Local: Tues, Oct 23 2012 10:55 am
Subject: Re: [dotnetopenauth] How to get user-name in CreateAccessToken
Print | Individual message | Show original | Report this message | Find messages by this author

I see you beat me to it:

https://github.com/DotNetOpenAuth/DotNetOpenAuth/issues/219

thanks


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Andrew Arnott  
View profile  
 More options Oct 23 2012, 12:30 pm
From: Andrew Arnott <andrewarn...@gmail.com>
Date: Tue, 23 Oct 2012 09:30:14 -0700
Local: Tues, Oct 23 2012 12:30 pm
Subject: Re: [dotnetopenauth] How to get user-name in CreateAccessToken
Print | Individual message | Show original | Report this message | Find messages by this author

Yes, someone else was asking about it on Stackoverflow and I saw it wasn't
there yet.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
steve  
View profile  
 More options Oct 31 2012, 5:42 am
From: steve <stephen....@electrum.co.uk>
Date: Wed, 31 Oct 2012 02:42:54 -0700 (PDT)
Local: Wed, Oct 31 2012 5:42 am
Subject: Re: [dotnetopenauth] How to get user-name in CreateAccessToken
Print | Individual message | Show original | Report this message | Find messages by this author

For anyone using the resource owner password credentials grant with DNOA
4.1, if you pass the accessTokenRequestMessage parameter to the following
method you can get the username in the CreateAccessTokenMethod:

string GetUserFromAccessTokenRequest(IAccessTokenRequest accessTokenRequest)
{
    if (accessTokenRequest is IAuthorizationDescription)
    {
        return ((IAuthorizationDescription)accessTokenRequest).User;
    }
    else if (accessTokenRequest is AccessTokenRequestBase)
    {
        // Use reflection to get username
        Type type = accessTokenRequest.GetType();
        foreach (var p in type.GetProperties(BindingFlags.NonPublic |
BindingFlags.Instance))
        {
            if
(typeof(IAuthorizationDescription).IsAssignableFrom(p.PropertyType))
                return
((IAuthorizationDescription)p.GetValue(accessTokenRequest)).User;
        }
    }

    // Error
    return null;

}

It may also work with other grant types however I've not tested it. This is
obviously a workaround so use at your own risk!

Steve


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google