c# - Sharing OAuth Tokens Across Two Web API projects -


i have created web api application oauth token authentication. worked without issue when token server running on same application service. however, i'd move authorization service own application (vs project) , use across several web api projects working on. however, when isolated authorization logic it's own project original service no longer treats tokens generated valid. question is, possible 1 web api project generate token 1 validate? here owin startup code both auth service , original service

auth service:

public void configuration(iappbuilder app)     {         // more information on how configure application, visit http://go.microsoft.com/fwlink/?linkid=316888         httpconfiguration config = new httpconfiguration();          configureoauth(app);          webapiconfig.register(config);         app.usewebapi(config);         app.usecors(microsoft.owin.cors.corsoptions.allowall);     }      private void configureoauth(iappbuilder app)     {         oauthauthorizationserveroptions oauthserveroptions = new oauthauthorizationserveroptions()         {             allowinsecurehttp = true,             tokenendpointpath = new pathstring("/token"),             accesstokenexpiretimespan = timespan.fromdays(1),             provider = new simpleauthorizationserverprovider()         };          // token generation         app.useoauthauthorizationserver(oauthserveroptions);         app.useoauthbearerauthentication(new oauthbearerauthenticationoptions());     }

original service:

public void configuration(iappbuilder app)     {         configureoauth(app);         // more information on how configure application, visit http://go.microsoft.com/fwlink/?linkid=316888         httpconfiguration config = new httpconfiguration();          config.suppressdefaulthostauthentication();         config.filters.add(new hostauthenticationfilter(oauthdefaults.authenticationtype));           webapiconfig.register(config);          app.usecors(microsoft.owin.cors.corsoptions.allowall);         app.usewebapi(config);     }      public void configureoauth(iappbuilder app)     {         var oauthbeareroptions = new oauthbearerauthenticationoptions();         app.useoauthbearerauthentication(oauthbeareroptions);     }

just stumbled across q whilst researching myself. tl;dr answer tokens generated using machinekey properties in machine.config file: if want host on multiple servers need override this.

the machinekey can overridden in web.config : 

<system.web> <machinekey validationkey="value goes here"              decryptionkey="value goes here"              validation="sha1"              decryption="aes"/> </system.web>

machine keys should generated locally - using online service not secure. kb article generating keys

orginal ref here http://bitoftech.net/2014/09/24/decouple-owin-authorization-server-resource-server-oauth-2-0-web-api


Comments

Post a Comment

Popular posts from this blog

javascript - RequestAnimationFrame not working when exiting fullscreen switching space on Safari -

request animation frame stops working when exiting fullscreen clicking on original space's safari window. fine if fullscreen mode canceled escape key or calling cancelfullscreen(). steps reproduce: open https://dl.dropboxusercontent.com/u/769042/prezi/safari-fullscreen.html click "draw raf", kittie appears click "fullscreen", go fullscreen click "draw raf", kittie appears go space original safari was, showing "click exit fullscreen mode", click anywhere, out fullscreen click "draw raf", nothing happens what handling click calling: window.requestanimationframe(draw); which draws on canvas context: function draw() { ctx.drawimage(img, math.random()*500|0, math.random()*400|0, 100, 100); } i checked .hidden , .visibilitystate, updated correctly. tested on osx 10.9.3, safari 7.0.4 (9537.76.4). has workaround/solution other switching old settimeout? this sounds webkit bug 88940 : using reque...
Read more

jsf - How to ajax update an item in the footer of a PrimeFaces dataTable? -

this visual of table have: +---------+------------+-------------------+ | header1 | header2 | header3 | +---------+------------+-------------------+ | row | input | calc'ed output | | row b | input b | calc'ed output b | | etc.. | etc.. | etc.. | +---------+------------+-------------------+ | total: total calc'ed output | +------------------------------------------+ and stripped-down code: <p:datatable id="mytable" value="#{mybean.somelist}" var="currentitem"> <p:column headertext="header1"> <h:outputtext value="#{currentitem.name}" /> </p:column> <p:column headertext="header2"> <pe:inputnumber value="#{currentitem.inputval}"> <p:ajax event="change" listener="#{mybean.changelistener}" update="outputval outputtotal...
Read more

django - CSRF verification failed. Request aborted. CSRF cookie not set -

error: reason given failure: csrf cookie not set. in general, can occur when there genuine cross site request forgery, or when django's csrf mechanism has not been used correctly. post forms, need ensure: browser accepting cookies. view function uses requestcontext template, instead of context. in template, there {% csrf_token %} template tag inside each post form targets internal url. if not using csrfviewmiddleware, must use csrf_protect on views use csrf_token template tag, accept post data. you're seeing section of page because have debug = true in django settings file. change false, , initial error message displayed. can customize page using csrf_failure_view setting. did find, nothing helped, must foolish(( my template <form method="post">{% csrf_token %} {% field in form %} <div class="control-group"> {{ field }} </div> {% endfor %} <input type=...
Read more