oauth 2.0 - How do I authorize access to ServiceStack resources using OAuth2 access tokens via DotNetOpenAuth? -


i've created oauth2 authorization server using dotnetopenauth, working fine - i'm using resource owner password flow, , exchanging user credentials access token.

i want use access token retrieve data secure endpoints in servicestack api, , can't work out how so. i've examined facebook, google, etc. providers included servicestack it's not clear whether should following same pattern or not.

what i'm trying achieve (i think!) is

  1. oauth client (my app) asks resource owner ('catherine smith') credentials
  2. client submits request authorization server, receives access token
  3. client requests secure resource resource server (get /users/csmith/photos)
    • the access token included in http header, e.g. authorization: bearer 1234abcd...
  4. the resource server decrypts access token verify identity of resource owner
  5. the resource server checks resource owner has access requested resource
  6. the resource server returns resource client

steps 1 , 2 working, can't work out how integrate dotnetopenauth resource server code servicestack authorization framework.

is there example somewhere of how achieve this? i've found similar stackoverflow post @ how build secured api using servicestack resource server oauth2.0? isn't complete solution , doesn't seem use servicestack authorization provider model.

edit: little more detail. there's 2 different web apps in play here. 1 authentication/authorisation server - doesn't host customer data (i.e. no data api), exposes /oauth/token method accept username/password , return oauth2 access token , refresh token, , provides token-refresh capability. built on asp.net mvc because it's identical authorizationserver sample included dotnetopenauth. might replaced later, it's asp.net mvc.

for actual data api, i'm using servicestack because find better webapi or mvc exposing restful data services.

so in following example:

sequence diagram

the client desktop application running on user's local machine, auth server asp.net mvc + dotnetopenauth, , resource server servicestack

the particular snippet of dotnetopenauth code that's required is:

// scopes specific oauth2 scope associated current api call. var scopes = new string[] { "some_scope", "some_other_scope" }  var analyzer = new standardaccesstokenanalyzer(authserverpublickey, resourceserverprivatekey); var resourceserver = new dotnetopenauth.oauth2.resourceserver(analyzer); var wrappedrequest = system.web.httprequestwrapper(httpcontext.current.request); var principal = resourceserver.getprincipal(wrappedrequest, scopes);  if (principal != null) {     // we've verified oauth2 access token grants principal     // access requested scope. }

so, assuming i'm on right track, need run code somewhere in servicestack request pipeline, verify authorization header in api request represents valid principal has granted access requested scope.

i'm starting think logical place implement in custom attribute use decorate servicestack service implementations:

using servicestack.serviceinterface; using spotauth.common.servicemodel;  namespace spotauth.resourceserver.services {     [requirescope("hello")]     public class helloservice : service {         public object any(hello request) {             return new helloresponse { result = "hello, " + request.name };         }     } }

this approach allow specifying scope(s) required each service method. however, seems run rather contrary 'pluggable' principle behind oauth2, , extensibility hooks built in servicestack's authprovider model.

in other words - i'm worried i'm banging in nail shoe because can't find hammer...

update on further reflection, initial thought, create requiredscope attribute cleaner way go. adding servicestack pipeline easy adding ihasrequestfilter interface, implementing custom request filter, documented here: https://github.com/servicestack/servicestack/wiki/filter-attributes

public class requirescopeattribute : attribute, ihasrequestfilter {   public void requirescope(ihttprequest req, ihttpresponse res, object requestdto)   {       //this code executed before service       //close request if user lacks required scope   }    ... }

then decorate dto's or services you've outlined:

using servicestack.serviceinterface; using spotauth.common.servicemodel;  namespace spotauth.resourceserver.services {     [requirescope("hello")]     public class helloservice : service {         public object any(hello request) {             return new helloresponse { result = "hello, " + request.name };         }     } }

your requirescope custom filter identical servicestack's requiredroleattribute implementation., use starting point code from.

alternately, map scope permission. decorate dto or service accordingly (see ss wiki details) example:

[authenticate] [requiredpermission("hello")]     public class helloservice : service {         public object any(hello request) {             return new helloresponse { result = "hello, " + request.name };         }     }

normally servicestack calls method bool haspermission(string permission) in iauthsession. method checks if list list permissions in iauthsession contains required permission, so, in custom iauthsession override haspermission , put oauth2 scopes checking there.


Comments

Post a Comment

Popular posts from this blog

c# - Send Image in Json : 400 Bad request -

from android trying send image class of data, iis webservice. (c#) the problem 400 bad request . the image being encoded base64 . , placed json rest of class elements. my guess base64 not valid inside json. server not understand it. if set string "" , post accepted fine. so question is, how make base64 valid within json array? ( tried url.encode no success). or how should send image android webservice? gson gson = new gson(); string json = gson.tojson(record); // record has param { string base64photo } how big image? i'm pretty sure surpassing iis json size limit (default 4 mb). check http://geekswithblogs.net/frankw/archive/2008/08/05/how-to-configure-maxjsonlength-in-asp.net-ajax-applications.aspx or http://www.webtrenches.com/post.cfm/iis7-file-upload-size-limits good luck!
Read more

jquery - Fancybox - apply a function to several elements -

this source code below posted cristiano g. carvalho in answer question: calling fancybox gallery other link made user. <div class="details_gallery"> <a href="#" class="manualfancybox">manual call fancybox</a> <div class="details_gallery_min"> <a rel="details" href="max/1.jpg" class="fancybox"><img src="min/1.jpg" alt="" /></a> <a rel="details" href="max/2.jpg" class="fancybox"><img src="min/2.jpg" alt="" /></a> <a rel="details" href="max/3.jpg" class="fancybox"><img src="min/3.jpg" alt="" /></a> <a rel="details" href="max/4.jpg" class="fancybox"><img src="min/4.jpg" alt="" /></a> </div> </div> <script> $(document).read
Read more

An easy way to program an Android keyboard layout app -

i program android app replaces standard keyboard 1 one-hand optimized coffee++ keyboard layout. what special problems have face in progress? guess such project go deep android core, cause keyboard such essential thing. is wise start android developer tools (adt)—eclipse plugin described in this tutorial ? or there better way achieve goal? i new android programming, firm in php, mysql , javascript , use eclipse php i guess such project go deep android core, cause keyboard such essential thing. no. can create inputmethodservice implementation of keyboard. there sample soft keyboard in android sdk installation (if chose download sample code sdk manager), , there open source input methods floating around well, such hacker's keyboard. inputmethodservice distributed part of ordinary android application, , user can elect activate input method if user chooses. is wise start android developer tools (adt)—eclipse plugin described in tutorial? that fine s
Read more