ASP.NET 2.0 and OAuth Client

Question

User911950514 posted

Hi,

We have an existing Web Forms application primarily developed in ASP.NET 2.0. Though, we have upgraded the framework to 4.5 but users are still getting authenticated with user/pass combination using SQLServer Roles and Membership(that is not upgraded to ASP.NET Identity). The architecture and folder structure of the web project is still based upon ASP.NET2.0. We are currently using Forms authentication.

Having said that, I got a new requirement to onboard additional 25k users who will be authenticated/Authorized using OAuth2.0(Users credentials already exist with a custom provider). Custom provider has shared the authorize and token API URLS and other details. In short, we will be developing an OAuth2.0 consumer feature.

I have a basic understanding of OAuth and various calls made to the Provider using .NET Core but is there an article/details how to do it in ASP.NET2.0 web forms?

Any assistance will be appreciated!

Thanks,

Amjad

Answer 1

User475983607 posted

Since you project targets 4.5 look into the OAuth OWIN library.

https://docs.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server

I suggest that you meet with the owners of the custom provider so you understand how it works.  Assuming the client is a browser and you are not securing APIs, the process is pretty straight forward.  The browser is redirected from your sire to a remote OAuth login and passes along some information in the URL.  After a successful login, the browser is redirected back to your site with a token that your site validates.  The token contains information about the user.  If all goes well, simply create a auth cookie like you are now.

You need to iron out the details with the OAuth provider.

Answer 2

User1724605321 posted

Hi amjad_akhtar,

Agree with @mgebhard , you should ask assistance from the IDP owner . To understand better , you can refer to below link for how OAuth2.0 Code flow works :

https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type 

https://oauth.net/2/grant-types/authorization-code/ 

I assume you are using the code flow ,  If you want to know other flows , you can read this document .

Best Regards,

Nan Yu

Answer 3

User911950514 posted

Hi mgebhard,

I have all the details from the OAuth provider that is what format and types of requests including Authorization/Token URLs. They are following the standard process as you have mentioned in your reply. Its going to be a Code Authorization Flow and after going through the link provided now it makes more sense.

But I have some questions regarding Owin integration into my legacy application.

1- Can I use OWIN functionality in my legacy ASP.NET web app, though targets 4.5 but it doesn't use MVC/Web API/Core etc? If yes, I simply need to add the OWIN nuget package I assume.

2- As I will be only developing client app so whatever is related to Authorization server in the provide link is not relevant though it helped me to understand the overall flow.

3- The link talk about using DotNetOpenAuth.OAuth2.Client , its open source and can be distributed without worries? Is it difficult to develop my own client instead of using DotNetOpenAuth?

4- I am confused about how to keep track of the refresh token, does this require any interaction with SQL roles and membership or just using a cookie should work?

Thanks so much for your assistance!

-AA

Answer 4

User911950514 posted

Thanks Nan Yu, links are helpful !

Answer 5

User475983607 posted

amjad_akhtar

1- Can I use OWIN functionality in my legacy ASP.NET web app, though targets 4.5 but it doesn't use MVC/Web API/Core etc? If yes, I simply need to add the OWIN nuget package I assume.

Owin is not specific to MVC it is an API that targets the .NET framework.  Create a new Web Forms project and select the "Individual account option" for an example of OWIN configuration.

amjad_akhtar

2- As I will be only developing client app so whatever is related to Authorization server in the provide link is not relevant though it helped me to understand the overall flow.

I don't know man... but I feel knowing how an auth token server works is very relevant for implementing a client. 

amjad_akhtar

3- The link talk about using DotNetOpenAuth.OAuth2.Client , its open source and can be distributed without worries? Is it difficult to develop my own client instead of using DotNetOpenAuth?

Read the license agreement if you have concerns. 

amjad_akhtar

4- I am confused about how to keep track of the refresh token, does this require any interaction with SQL roles and membership or just using a cookie should work?

A refresh token is used to refresh an access token.  The client can read the access token expiration.  Write code to fetch a new access token if the access token is about to expire.  If you are unsure how to use the refresh token, ask the service provider for help.  Refresh tokens can be a security vulnerability so it is best to consult the reference documentation for the auth service you are using.

Answer 6

User911950514 posted

Okay, thanks so much for taking time and responding to my questions!

I am going to attempt it and see how it goes, will consult if need be(don't want to bother you much).