locked
OWIN setup similar to Google Service Accounts using JWT Bearer tokens RRS feed

  • Question

  • User832214145 posted

    I've got a WebAPI 2 service that I would like to have a security setup very similar to the Google Service Accounts. The consuming application would send a JWT to the token endpoint to get an access token which would then be sent on all subsequent calls to the service until that token expires. 

    Additional requirements:

    • The preference would be that token endpoint would be part of the service application and not a separately hosted application.
    • Because is going to be load balanced and I can't rely on sticky sessions I would need to store the access tokens in a central place like a database.
    • I'd like to be able to control the expiration time of the access token.
    • Like Google Service Accounts each application authenticating will have a different client_id (Issuer) and a different signing key.

    How would one set this up using OWIN?

    Friday, September 19, 2014 9:38 AM

Answers

All replies

  • User1779161005 posted

    You need an authorization server that supports custom assertions using the custom grant type extension. I think the katana middleware supports this. You'd need to implement the methods on the provider for the custom grant type as well as validating the client credentials.

    Friday, September 19, 2014 9:53 AM
  • User832214145 posted

    I believe that is what I've been trying to do using Katana over the last couple days however I have no idea if i'm doing it correctly.

    First I tried using app.UseOAuthAuthorizationServer and providing a custom implementation of the OAuthAuthorizationServerProvider overriding the GrantCustomExtension method, which I believe is what you are saying. However I don't appear to have access to the claims in provided in the JWT.

    I also tried using app.UseJwtBearerAuthentication and providing a custom implementation of IOAuthBearerAuthenticationProvider however, I don't have access to the grant_type at all it seems and it appears that I can't specify the token endpoint in the options object provided to the above method, so all I was getting was 404 errors.

    At this point i'm kinda looking for an example so that I can make sure I put this together correctly.

    Friday, September 19, 2014 10:39 AM
  • User1779161005 posted

    I don't know of any examples in katana that do custom grant types. I'd suggest asking in Jabbr in the OWIN room. There's a guy that hangs out there that loves to help people with the katana oauth2 middleware.

    Friday, September 19, 2014 10:50 AM
  • User832214145 posted

    I managed to get things working.  Example available on the Katana / OWIN boards: https://katanaproject.codeplex.com/discussions/567884

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, September 25, 2014 10:23 AM