OWIN Authentication Server for multiple applications

Question

I am in the process of implementing a solution that has an MVC client (lets call this CLIENT at localhost:4077/) with a WebAPI service (called API at localhost:4078/)

I have implemented OWIN OAuth in the API but wanted to know whether the OWIN could be implemented in a separate solution (lets call it AUTH at localhost:4079/token) to generate the token for the CLIENT, then the CLIENT passes this to the API (as the Bearer authorisation token)

The reason i am querying this is that there is likely to be additional WebAPI services that will be accessed by the CLIENT and i'd like to use OWIN between the client and all API services.

The issue is i am not sure if the token generated by the AUTH service could be used to authorise all requests on the CLIENT and all API services.

Has anyone implemented anything like this and if so could you provide an example, i am pretty new to OWIN and OAUTH so any help would be greatly appreciated

Answer 1

Separating the authorization server from the resource server is extremely easy: it will even work without any extra code if you use IIS and if you have configured identical machine keys on both applications/servers.

Supporting multiple resource servers is a bit harder to implement with the OWIN OAuth2 server if you need to select which endpoints an access token can gain access to. If you don't care about that, just configure all your resource servers with the same machine keys, and you'll be able to access all your APIs with the same tokens.

To have more control over the endpoints that can be used with an access token, you should take a look at AspNet.Security.OpenIdConnect.Server - a fork of the OAuth2 server that comes with OWIN/Katana - that natively supports this scenario: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server.

It's relatively easy to set up:

Add a new middleware issuing tokens in your authorization server application (in Startup.cs):

app.UseOpenIdConnectServer(new OpenIdConnectServerOptions
{
    Provider = new AuthorizationProvider()
});

Add new middleware validating access tokens in your different API servers (in Startup.cs):

app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
    // AllowedAudiences MUST contain the absolute URL of your API.
    AllowedAudiences = new[] { "http://localhost:11111/" },

    // X509CertificateSecurityTokenProvider MUST be initialized with an issuer corresponding to the absolute URL of the authorization server.
    IssuerSecurityTokenProviders = new[] { new X509CertificateSecurityTokenProvider("http://localhost:50000/", certificate) }
});

app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
    // AllowedAudiences MUST contain the absolute URL of your API.
    AllowedAudiences = new[] { "http://localhost:22222/" },

    // X509CertificateSecurityTokenProvider MUST be initialized with an issuer corresponding to the absolute URL of the authorization server.
    IssuerSecurityTokenProviders = new[] { new X509CertificateSecurityTokenProvider("http://localhost:50000/", certificate) }
});

Finally, add a new OpenID Connect client middleware in your client app (in Startup.cs):

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    // Some essential parameters have been omitted for brevity.
    // See https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/dev/samples/Mvc/Mvc.Client/Startup.cs for more information

    // Authority MUST correspond to the absolute URL of the authorization server.
    Authority = "http://localhost:50000/",

    // Resource represents the different endpoints the
    // access token should be issued for (values must be space-delimited).
    // In this case, the access token will be requested for both APIs.
    Resource = "http://localhost:11111/ http://localhost:22222/",
});

You can have a look at this sample for more information: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/dev/samples/Mvc/

It doesn't use multiple resource servers, but it shouldn't be hard to adapt it using the different steps I mentioned. Feel free to ping me if you need help.