locked
Adding OAuth2 + refresh token to existing WebAPI - best practice RRS feed

  • Question

  • User-920976430 posted

    Part-built a WebAPI and trying to add in OAuth2 (in token refresh). Seeing lots of walk-throughs, demos, etc that generally have parts or start from a different point (e.g. don't implement refresh or use Mobile apps helpers) and trying to mash these together with existing WebAPI is proving a struggle. Before I go any further, is having the auth and API in the same API desirable or is something like the sample OWIN OAuth 2.0 Authorization Server the way to go (separate auth server, API then just checks it has a valid token where authorisation is required)? 

    And/or pointers to better examples / best practice, would be much appreciated! Requirements are: OAuth2 authentication, using client credentials (username+password if I read that right), with expiring access tokens, plus refresh tokens. Ideally would be able to logout of a session, but understand that is not really the way the tokens work. Credentials are checked against an existing database. Access to the API is initially via a Windows app.

    Many thanks, Craig

    Tuesday, March 26, 2019 5:59 PM

Answers

  • User475983607 posted

    is having the auth and API in the same API desirable or is something like the sample OWIN OAuth 2.0 Authorization Server the way to go (separate auth server, API then just checks it has a valid token where authorisation is required)? 

    I feel it is better.  The auth server does one thing.

    And/or pointers to better examples / best practice, would be much appreciated!

    The best place is the RFCs which describe the standards.  At least that's what helped me.

    https://tools.ietf.org/html/rfc6749#page-10

    https://tools.ietf.org/html/rfc6750

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, March 26, 2019 6:24 PM
  • User1724605321 posted

    Hi CraigBurton,

    I would suggest create separate auth server like Identity provider , or if you want hosted solution, you might consider something like Azure Active Directory.  Then your web api will be  resource which protected by auth server , you can use client credential flow to acquire access token for accessing your api .

    Best Regards,

    Nan Yu

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, March 27, 2019 4:35 AM

All replies

  • User475983607 posted

    is having the auth and API in the same API desirable or is something like the sample OWIN OAuth 2.0 Authorization Server the way to go (separate auth server, API then just checks it has a valid token where authorisation is required)? 

    I feel it is better.  The auth server does one thing.

    And/or pointers to better examples / best practice, would be much appreciated!

    The best place is the RFCs which describe the standards.  At least that's what helped me.

    https://tools.ietf.org/html/rfc6749#page-10

    https://tools.ietf.org/html/rfc6750

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, March 26, 2019 6:24 PM
  • User1724605321 posted

    Hi CraigBurton,

    I would suggest create separate auth server like Identity provider , or if you want hosted solution, you might consider something like Azure Active Directory.  Then your web api will be  resource which protected by auth server , you can use client credential flow to acquire access token for accessing your api .

    Best Regards,

    Nan Yu

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, March 27, 2019 4:35 AM
  • User-920976430 posted

    Thanks both for the advice - separate auth looks like the way to go.

    Cheers, Craig

    Wednesday, March 27, 2019 9:06 AM