Re: [dotnetopenauth] Building a OAuth2 resource server with DotNetOpenAuth

[Andrew Arnott]

HI Aleksander, welcome to the forum.  

What you want sounds like a pretty standard set up of a web service that fills both the OAuth 2 authorization server and resource server roles.  I suggest you start with downloading the samples from http://sourceforge.net/projects/dnoa/files/latest/ and check out OAuth2AuthorizationServer and OAuth2ResourceServer.  

David Christiansen recently built a Web API sample of the two roles combined that may be just what you're looking for.

On Sunday, July 22, 2012, Aleksander Heintz wrote:

First of all, I'd just like to say that the ods of me mixing my terms here (such as resource owner, and other fancy terms like that) is fairly high.

I'm currently building a API for my website, and I'd like to enable OAuth2 so that verified clients can connect on behalf of users to my application and get data from/of the user.

Just like facebook for instance; where (if I was a developer that wanted to make an facebook-app) you first go to facebook and register your app to get a secret of some sort,

then you use that to navigate your users to a page saying "will you grant access to XX from the app MyApp", and when the user hits ok, facebook redirects back with a token.

Later, when requesting resources, the token is included in the request; and that token signifies the authorization of the user.

Now, in my app, I already have a table of users set up. It's fairly simple, with username and passwords, and a fullname.

So, simply to get this started, I would like some guidence, or reference to samples/documentatin to get the "grant access to app XX" page set up (which generates tokens),

and a simple dummy "/api/user/me" which should return the current user, which ofcause would take the token and get a user out of it (a user-id would be sufficient, as I can allways find the user in the database).

And I don't need someone to code this for me (hopefully, I'm hoping it's not that hard), just some guidance as to what I need to implement, and where to put it would be much appreciated.

--
You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.
To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/8906VLbvwywJ.
To post to this group, send email to dotnet...@googlegroups.com.
To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/dotnetopenid?hl=en.

--
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre

[Aleksander Heintz]

When the authorization server and the resource server are the same, they can (and maybe should?) use the same cert, right?

I'm just going over the code you linked, and noticed that the hard-coded certs differs.

[Andrew Arnott]

I would keep the two certificates different anyway.  RSA sometimes have security vulnerabilities when signing and encryption are done with the same cert, so having two separate ones can only help protect you.  But it's up to you.  I can't put my finger on any vulnerability (right now, anyway) if you were to consolidate them to one.

On Monday, July 23, 2012, Aleksander Heintz wrote:

When the authorization server and the resource server are the same, they can (and maybe should?) use the same cert, right?

I'm just going over the code you linked, and noticed that the hard-coded certs differs.

--

You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.

To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/MdHw0KVWf9kJ.

To post to this group, send email to dotnet...@googlegroups.com.
To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/dotnetopenid?hl=en.