How to send a token from .NET 7 Rest API project to Oauth Resource Server

Question

Hi, I have a resource server which implements Oauth2 Security protocol. Supports clients Credentials and password. I have another app in VS2022 ,REST API(Controllers and everything) were I want to add the Authorize attribute and send the token from this app to my Resource Server. I don;t want to rewrite the validate token again. I want everything to be in one place. So, in my .NET 7 app I have in the ConfigureServices section the below code

 services.AddAccessTokenManagement(options =>
            {
                options.Client.Clients.Add("identityserver", new ClientCredentialsTokenRequest
                {
                    Address = "http://localhost/myapp/token",
                   
                    ClientId = "ClientID",
                    ClientSecret = "ClientSecret"//,

                    //Scope = "api" // optional
                });
            });

   services.AddAuthentication(OAuthValidationDefaults.AuthenticationScheme)
            .AddOAuthValidation(OAuthValidationDefaults.AuthenticationScheme);

In my Configure Section I have the below

   app.UseOwin();
            //app.UseAuthentication();
            app.UseRouting();
            app.UseAuthorization();
            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllers();
            });
            //// app.UseHttpsRedirection();
            app.UseStaticFiles();

In the Controller I have decorated the my API method with the [Authorize] attribute But nothing on the above seems to work. From Swagger you can call the method and Swagger doesn't ask for authorization and in Resource Server doesn't seem to receive the token that I'm passing and validating it. In the Configure Services for Swagger I have also the below

services.AddSwaggerGen(c =>
            {
                c.EnableAnnotations();
                c.SwaggerDoc("v1", new OpenApiInfo { Title = "MyWebApi", Version = "v1" });

                c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
                {
                    In = ParameterLocation.Header,
                    Description = "Please enter a valid token",
                    Name = "Authorization",
                    Type = SecuritySchemeType.Http,
                    BearerFormat = "JWT",
                    Scheme = "Bearer"
                });
                c.AddSecurityRequirement(new OpenApiSecurityRequirement
                {
                    {
                        new OpenApiSecurityScheme
                        {
                            Reference = new OpenApiReference
                            {
                                Type=ReferenceType.SecurityScheme,
                                Id="Bearer"
                            }
                        },
                        new string[]{}
                    }
                });
            });

I don't have IdentityServer implementation My question is . How to use a kind of introspection between oauth2 and net7? Meaning by this , When I call the method from the NET7 REST API app , this will redirect the provided token to be validated in the Oauth2 Server and get the appropriate response. Do we have any C# code examples or can anyone assist me on this ? Am I missing something? Appreciate your help on this

Answer 1

Hi Zhi, I have two different , let's say VS Solutions. One with the .NET Framework 4.7.2 which is also a classic NET MVC app with controllers and IN THERE we are doing all the token validations with OWIN , and the other solution .NET 7 with Controllers and different methods. Both Apps are looking the same Database etc. The code for validating the token we want to be in one place without having the obligation to rewrite it in the NET 7 . App A (OWIN .,NET 4.7.2 MVC) with ValidateRequests , GrantResources etc and App B with .NEt7. The exercise is as follows. I have a Rest API method in App B GetUsers let's say. And I have this Rest method to decorate it with the [Authorize] attribute. So when someone passes a valid token (this token will have the same format like the ones that App A generates and accepts) , i want App B send something to App A were the validation lies , and App A will give me the grant permittion to proceed or not. If I had an IdentityServer it would be feasible with Introspection Endpoint. But now I have OAuth2 and I don't know how to tell App B (with .Net 7) when a request is made , passing a token , to send this token first for validation in App A and depending on the result App B will give me or not the results of the requested method. That 's the exercise. I found some code , searched a lot but I didn't find a clear way to do this. Everyone were talking for using IdentityServer which is not the scope . Needs time , effort and we are already in production. Can I call the /Token endPoint of Oauth2 from .NET7 App B (when the method has Authorize decoration) and returns me a result? True or False result and allow or not to the Rest API method to be executed or not?

Answer 2

the validation is slightly different between you two sites.

on MVC site owin validates the id token to callback url. this own callback validates the id token and then creates a cookie where its stores the identity properties. this cookie is used for authorization, not the token.

on the webapi site you will enable jwt bearer tokens. this is expecting an access (not id) token. the token will have the claims (one of which is the user id). you on override the token validation. in JwtBearerOption, you can define the validation you want and use the token validation in the events say making web service to site a to validate an access token). you can also control the mapping of claims to principal.

https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.jwtbearer.ijwtbearerevents?view=aspnetcore-1.1

you don't specify how the calling app get the access token. if its the MVC app making the call then you need to add support for access token caching. in this case the access token is stored in a cache with the user is as a key. you then call the owin GetTokenAsync() to get the access token. if on a web farm, you will need a distributed cache.

Answer 3

Hi Bruce and thank you for your response. There is a Web Application which handles these two different apps. When you are trying to login to this WebApplication all the calls to get the token , authentication and authorization are being made with calls to the App A. App A is the Rest API .NET Framework 4.7.2 with mvc and OWIN implementation. After you get the token from App A and when you are still "inside" the web application calls are being made to the second App , App B which is written using different technologies. .NET 7 , REST API methods. I want to avoid rewritting the owin authentication and all the code that i have in App A(Rest API which does the validation). I want the separate App B (.NET 7 ) to communicate somehow with App A and validates the provided token which I HAVE ALREADY when I logged in into the system. I have the token. I am inside the web application and I want to call methods from App B (.NET 7 , REST methods). App B will receive my token but I want App B to communicate with the APP A, Send the token and App A will tell me if i'm good to go or not. Does .Net 7 REST APIs apps can implement such fucntionality? In my first post I have some code but I don't know if this is the right one or the right approach. Do you have any idea If I decorate a REST API method with [Authorize] attribute , to send the provided token to a different app for validation? Kind like an introspection between apps but with OWIN security

Answer 4

it is still not clear if app a is calling app b with an id or access token.

anyway in app b, you would use jwt authentication, and override the token validation. in the custom token validation, app b would call app a with the token, and get a validation response. this will happen on every request. you could share the signing key certificate:

https://devblogs.microsoft.com/dotnet/jwt-validation-and-authorization-in-asp-net-core/.

or use JwtBearerEvents.OnTokenValidated event to do the custom validation.

Answer 5

Hi Bruce , App A with Owin always will validate the token. The validation code is in there.. App B with .NET 7, will receive the token and I want somehow to send this received token for validation to get a go or no go from App A. App A (Owin) is the General here. App B (the one with the .NET 7) will just have methods with [Authorize] decoration and receives tokens. These received tokens could be valid or not but this is what I'm trying to achieve. App B after , must send them to App A (Owin implementation) and App A will have the final decision if everything is ok or not. Rewriting the token validations in App B will create problem because I will have two token validations in two different places. And Of course I will have to maintain them as well. Can a .NET 7 core App send a token (whatever token it has we don't care since it will be validated) to an Owin App and get a response? I will definitely take a look at your article you've sent. Thank you Bruce.