1

I need to implement authentication for some web services that we will be hosting. I want to use open standards, so I am interested in OAuth.

I will be using WebAPI for these services.

So here's where I'm running into trouble: Most (or maybe all) of the Api Key/OAuth scenerios that I have read involve (at some point or another) a user sitting in front of a screen.

I need to put together an API that a business partner will be calling. The calls will come from an automated process -- nowhere in the chain will there be a person who can be redirected to a web site with logon credentials.

However, I don't want just anyone coming around and calling my services.

So, I read about OAuth, and how it uses a shared secret to sign each request, and I think that's what I'm after. (I would either set up a session key, or could consider making one of the parameters a "ticks" value, and only accept requests within a short timeframe, etc)

I was kind of hoping that I could use DotNetOpenAuth to accomplish this (or something like it), but every example I come across begins with "the user gets redirected to a login page). I only need "2 leg" authentication.

Is there an example of using DotNetOpenAuth to do this?

Is there a better way to go?

Improve this question

1 Answer 1

Reset to default
5

If you are looking at OAuth 2 then the flow you are describing is the Client Credentials Grant

This kind of "two legged" / "service account" type flow is one that doesn't have a web page based flow.

DotNetOpenAuth supports the Client Credentials Grant. You can see an example of it in action here; however, be aware even though the author states it is the "Resource Owner Password Credentials" grant it is actually the Client Credentials Grant.

The blog post above was a little out of step with the latest DotNetOpenAuth code base but these are quickly identified and altered.

I believe that as it stands the DotNetOpenAuth only supports issuing a Bearer token using Http Basic authentication. There are other more exotic extensions OAuth 2 with a similar flow e.g. the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (but as stated this is not yet part of DotNetOpenAuth).

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Hi Mark, I've read through the code. I'm a little confused on one point: There is some code there that loads up a public and private certificate. I had thought that OAuth was for providing a means of authentication that did not rely upon SSL certs. Is that a required step? What am I missing here?
Hi @JMarsch The OAuth 2 specification differs to OAuth 1 in that it DOES rely upon HTTPS communication for all its requests, this allows in "theory" for a Bearer token to be sent unprotected... however, one really should protect the Bearer tokens. The "token" that is generated i.e. Bearer token needs to be trusted. In the example blog it is therefore signed using the private key of the SSL cert in these examples. Although the signing or encryption of Bearer tokens is not mandated in the OAuth 2 specification it is recommended. DotNetOpenAuth therefore applies the signature to the token.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.