locked
OAuth 2.0 Authentication: try to avoid .AddCookie and just want to use .AddOAuth only RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    User1971729369 posted

    Hello everyone,

    I got the chance to reinvent this application [1] with .NET Core 2.2, AspNetCore and Docker.
    This repository is an out-of-the-box easy-to-use sample application for our API and OAuth 2.0 Service.

    Everything works very well, but there is a point that I do not fully understand.

    I want to use this application without any usage of a cookie. All neccessary OAuth credentials (Client ID, secret, access token and refresh token) are stored in json files. The user should be able to use this application even in a fresh incognito session, just with the stored credentials.

    I tryed to set the ".AddOAuth" as the default, but there is no "OAuthAuthenticationDefaults.AuthenticationScheme". I also had tryed "UseJwtBearerAuthentication" but all examples, are completly different to the OAuth part. My code only works with ".AddCookie" and "CookieAuthenticationDefaults.AuthenticationScheme". :(

    In [2] I postet a snippet of my code.

    My Questions are:

    • I know the advantage of using cookies but is there an other important reason why I need cookies here?
    • Could someone point me to an example which uses OAuth (with Microsoft.AspNetCore.Authentication.OAuth) without usage of cookies?
    • Is there a way, to use the OAuth creadentials with the baererAuthentication?

    I spent hours in researching about this topc :(

    Thanks a lot, Robert

    [1] https://github.com/Sage/sageone_api_csharp_sample

    [2] This snippet is from https://github.com/Sage/sageone_api_csharp_sample/blob/bfe10ba405ec5f7f488995879b308cc3f48ac39c/app/Startup.cs#L56

    services.AddDistributedMemoryCache();
      services.AddSession(options =>
      {
        options.Cookie.HttpOnly = false;
        options.Cookie.IsEssential = true;
        options.IdleTimeout = TimeSpan.FromHours(1);
      });

      services.AddMvc();
      services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();

      services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
          .AddCookie(o => o.LoginPath = new PathString("/login"))
          .AddOAuth("oauth2", "Sage Accounting", o =>
          {
            o.ClientId = config_client_id;
            o.ClientSecret = config_client_secret;
            o.CallbackPath = new PathString("/auth/callback");
            o.AuthorizationEndpoint = AUTHORIZATION_ENDPOINT;
            o.TokenEndpoint = TOKEN_ENDPOINT;
            o.SaveTokens = true;

            o.Scope.Add("full_access");
            o.Events = new OAuthEvents
            {
              OnRemoteFailure = HandleOnRemoteFailure,
              OnCreatingTicket = async context => //async
              {
                int tok_expires_in = (int)context.TokenResponse.Response["expires_in"];
                int tok_refresh_token_expires_in = (int)context.TokenResponse.Response["refresh_token_expires_in"];

                tokenfileWrite(context.AccessToken,
                                calculateUnixtimestampWithOffset(tok_expires_in),
                                context.RefreshToken,
                                calculateUnixtimestampWithOffset(tok_refresh_token_expires_in),
                                context.HttpContext);
                return;
              }
            };
          });
    }

    Wednesday, March 18, 2020 8:54 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    User475983607 posted

    I want to use this application without any usage of a cookie. All neccessary OAuth credentials (Client ID, secret, access token and refresh token) are stored in json files. The user should be able to use this application even in a fresh incognito session, just with the stored credentials.

    Cookies are used to cache encrypted login tokens in browser based application because the browser sends the cookie on each request to the server.  The auth cookie API fetches the token and adds the information to the user principal.  This makes the user user roles/claims available to the built-in authorization system like the [authorize] attribute. 

    I know the advantage of using cookies but is there an other important reason why I need cookies here?

    If you don't use a cookie to cache the encrypted token, we talking about a browser based application, then you'll need to design and code a custom solution.  My first guess is you'll be forced to use the URL.

    Could someone point me to an example which uses OAuth (with Microsoft.AspNetCore.Authentication.OAuth) without usage of cookies?

    Every browser based OAuth solution uses cookies. 

    Is there a way, to use the OAuth creadentials with the baererAuthentication?

    Yes, every code based OAuth/JWT solution uses a bearer token.

    Wednesday, March 18, 2020 12:05 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User-474980206 posted

    if you are using a browser application the http request must include the authentication. Natively the browser requests support basic, digest, ntlm and negotiate authentication. OAuth is not on the list, so the OAuth token must be part of the payload. the options are:

    1) use a cookie - most common
    2) encode as a url parameter and include in all links and form posts
    3) only use posts and use a form variable 
    4) only use ajax (SPA) and use as a bearer token
    5) use a combination of above

    Wednesday, March 18, 2020 3:13 PM