owin + oauth + bearer token authentication: full picture RRS feed

  • Question

  • User442419460 posted

    I've read articles and seen example projects. I know owin allows to decouple application from web-server specific code, oauth  allows third party clients to get access to application resources, and bearer token - client can get security token by login and password and use it as key for access to application resources. 

    I know that for simple cookie authentication using owin it's enough UseCookieAuthentication. But owin has this extensions: UseOAuthAuthorizationServer,  UseOAuthBearerAuthentication, UseExternalCookieAuthentication, UseOAuthBearerAuthentication and I don't understand the full picture.

    1. Could I use oauth without oauth bearer token (does it make sence)?
    2. What are use cases for external cookie?
    3. What are use cases for oauth (is it required only in case of client and server work in different domains using some api)?
    4. What are use cases for oauth bearer token authentication?
    5. Is it required oauth and bearer token authentication for web api only and for classic asp.net mvc applications it's no need?
    Wednesday, January 28, 2015 10:52 AM

All replies

  • User458742136 posted

    Hi Oblomov 86,

    First, OAuth is an open standard to authorization. For more detail: http://tools.ietf.org/html/rfc6749

    If you use OAuth, the access token are credentials used to access protected resources. In the general case, before a client can access a protected resource, it must first obtain an authorization grant from the resource owner and then exchange the authorization grant for an access token.  The access token represents the grant's scope, duration, and other attributes granted by the authorization grant.

    Anyone can define "token_type" as an OAuth 2.0 extension, but currently "bearer" token type is the most common one.

    In RFC 6749 http://tools.ietf.org/html/rfc6749, there are 4 defined authorization grant mode for different use cases:

    For Asp.Net Owin, it has several extensions to add authentication or authorization capabilities to your asp.net application.

    Best Regards.

    Tuesday, February 3, 2015 1:48 AM
  • User566650967 posted

    Hi Oblomov86,

    As per your request just use this same.Create a new webform and give the code behind as below.

    protected void Page_Load(object sender, System.EventArgs e)
    string strServer = "mail.xxx.com";
    string strDomain = "yyyy";
    string strUsername = null;
    string strPassword = null;
    if (!(string.IsNullOrEmpty(Session["uuu"])) & !(string.IsNullOrEmpty(Session["ooo"]))) {
    strUsername = Session["uuu"].ToString();
    strPassword = Session["ooo"].ToString();
    Response.Write(LoadOWAPostJS("logonForm", strUsername, strPassword));
    private string CreateOWAFrom()
    StringBuilder strForm = new StringBuilder();
    strForm.AppendLine("<form id=\"logonForm\" name=\"logonForm\" target=\"_self\" action=\"https://mail.xxx.com/owa/auth/owaauth.dll/\\\" method=\"post\">");
    strForm.AppendLine("<input type=\"hidden\" name=\"destination\" value=\"https://mail.xxx.com/owa/\\\"/>");
    strForm.AppendLine("<input type=\"hidden\" name=\"flags\" value=\"0\"/>");
    strForm.AppendLine("<input type=\"hidden\" name=\"username\" id=\"username\"/>");
    strForm.AppendLine("<input type=\"hidden\" name=\"password\" id=\"password\"/>");
    strForm.AppendLine("<input type=\"hidden\" id=\"SubmitCreds\" name=\"SubmitCreds\" value=\"Connection\"/>");
    strForm.AppendLine("<input type=\"hidden\" id=\"rdoRich\" name=\"forcedownlevel\" value=\"0\"/>");
    strForm.AppendLine("<input type=\"hidden\" id=\"rdoPublic\" name=\"trusted\" value=\"0\"/>");
    return strForm.ToString();
    private string LoadOWAPostJS(string strFormId, string strUsername, string strPassword)
    StringBuilder strScript = new StringBuilder();
    strScript.Append("<script language='javascript'>");
    strScript.Append("var ctlForm = document.forms.namedItem('{0}');");
    strScript.Append("ctlForm.username.value=\"" + strUsername + "\";");
    strScript.Append("ctlForm.password.value=\"" + strPassword + "\";");
    return String.Format(strScript.ToString(), strFormId);

    just enjoy coding and break anywhere :)

    Tuesday, February 3, 2015 8:07 AM