User614698185 posted
Hi zhshqzyc,
OAuth provides client applications a 'secure delegated access' to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. Designed
specifically to work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner. The client then uses the access token to access the
protected resources hosted by the resource server. OAuth is commonly used as a way for Internet users to log into third party websites using Microsoft, Google, Facebook or Twitter accounts without exposing their password.
Possibly the most devastating OAuth security failure is phishing vulnerability: every web site using OAuth is visually (but not technically) asking end users for their username and password of their master identity, which prevents ordinary users from understanding
that they should not type those in should they encounter an attacker's web site that visually emulates this process to steal credentials. 2FA/two-step does not prevent this attack, because the phishing site can steal that as well (and use it right away).
You could refer to the following tutorials to learn Token Based Authentication:
http://www.jerriepelser.com/blog/using-aspnet-oauth-providers-without-identity
http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/
Best Regards,
Candice Zhou
