oAuth2 Authorization for standalone web services

[Jezz Santos]

I am looking for working examples for a SS restful service that implements oAuth2.0 authorization of requests from *any* kind of client (not just a SS client).

I don't want the web service to support its own authentication like the socialbootstrapapi sample does.

Authentication needs to be performed by a separate client application (i.e. ASP.NET MVC 5.0 or Mobile Phone client).

The client should manage the handshake with the authorization provider and get the accesstoken and embed that in the 'Authorization' header of the request to the SS service.

I have studied and experimented with dylanbeaties excellent example in github, but this demonstrates authorization only for a custom authorization server.

I like the attribute pattern demonstrated there, I just can't get it working in an integration test for a public provider (i.e. google, facebook, etc).

I'd like to see a working sample of a service that authorizes a request with access token obtained from google or facebook or some other public provider, and the client side code that creates the access token, running from an integration test in VS (that is not a web client, using a google/facebook usn+pwd).

To be clear, what I am trying to create is a web service that should support oAuth2.0 authorisation, where the accesstokens could come from any number of providers (i.e. facebook, google, or my own custom one).

Seems like a pretty common scenario for building a scalable public service these days.

But finding working examples and documentation for this scenario is very difficult.

Could I propose someone builds another version the socialbootstrapapi (or variant of) example that separates client from service?

regards,

[Demis Bellot]

Information about our OAuth2 providers is available at: https://github.com/ServiceStack/ServiceStack/wiki/Authentication-and-authorization#oauth2-providers

Checkout the AuthWeb.Tests project to see an example of a single application with all Authentication options available, inc LinkedIn + Google OAuth2 providers:

https://github.com/ServiceStack/ServiceStack/tree/master/tests/ServiceStack.AuthWeb.Tests

The source code for the Linked-In and Google OAuth2 providers is in the repo:

https://github.com/ServiceStack/ServiceStack/tree/master/src/ServiceStack.Authentication.OAuth2

Additional feature requests for ServiceStack can be proposed at:

http://servicestack.uservoice.com/forums/176786-feature-requests

- Demis

--
You received this message because you are subscribed to the Google Groups "ServiceStack .NET Open Source REST Web Services Framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servicestack...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Jezz Santos]

Thanks for these links,

I guess what I am really asking for is more guidance, and help trying to stitch all these related bits of info together into a cohesive solution.

There seem to be many moving parts here, and they are not always that intuitive to put together.

I'd rather not be inventing new patterns where the proven ones exist. But knowing where they exist is the issue here.

For example, a lot of the sample stuff and documentation makes assumptions that we will have session state.

So much of the AuthN and AuthZ framework in SS seems to rely on authentication information already in from a previous call to /auth services.

I am not sure a service of the type I am talking about has either authentication state nor session to rely on.

Would you have more specific guidance on:

1. How to verify an oAuth2 bearer token in a SS service (i.e. a token passed from a client who just authenticated a user with google)?
2. How to create an oAuth2 bearer token in an integration test (i.e. no browser redirect), so that we can test basic authorization implementation in the web service using a users usn+pwd against google?
3. How to pass the bearer token in a request from a controller (MVC 5 application)?

regards,

[Wayne Douglas]

We have been trying to implement something like this (the client is a php website) with varying success. I would also appreciate guidance in this area. Some guidance on tests would be very helpful too.

—
Sent from Mailbox for iPhone

[Demis Bellot]

The AuthProviders just enable authentication via any of the supported Auth providers, on success it sets up an authenticated session with the client under the verified identity. 

 Info retrieved from authentication is persisted in the configured IUserAuthRepository in the UserAuthDetails model. No further OAuth2 functionality is baked into ServiceStack beyond authentication.

You're asking for specific guidance for working with OAuth2, not ServiceStack which in this case is just a generic framework hosting custom logic that is decoupled from any one AuthProvider.

I suspect the best place to ask for help on OAuth2 would be on the DotNetOpenAuth support channels or StackOverflow.

[Wayne Douglas]

Currently we redirect from the website to /auth/provider when we want to reg/login

Some questions:

- what happens if the same user logs on from 2 auth providers? Is there a way to merge them?

- once logged in the php client just sends an ss-id in the headers as auth (from the users cookie). Is that what is expected?

- sometimes we end up in a redirect loop where we just keep getting sent back to twitter to authorize the app. This can be stopped sometimes by clearing cookies. Sometimes it does not fix it.

I have considered adding username/password auth for making tests simpler. That way the test can authenticate - I don't particularly care which auth the test uses so guess this would work ok.

—
Sent from Mailbox for iPhone

[Demis Bellot]

If an authenticated user logins in from multiple AuthProviders they are automatically merged, where there is a single UserAuth record and multiple UserAuthDetails records for each authenticated OAuth provider.

ss-id is the temporary session-id which is where the users session is stored by default, there's also a ss-pid cookie which is used when the user Authenticates with the "RememberMe=true" flag set.

This is explained in more detail on the Sessions wiki: https://github.com/ServiceStack/ServiceStack/wiki/Sessions

For tests you can use the "Config.AdminAuthSecret" to specify a special string to give you admin access without having to login by adding ?authsecret=xxx to the query string.

It's great for tests as you can test as an authenticated "admin" user without having to login each time.