IMPLEMENT AN OAUTH 2.0 SERVER (PART 19)
Welcome to the nineteenth and final part of a series of posts where we will implement an OAuth 2 Server using AspNet.Security.OpenIdConnectServer. Pushing to Azure To finish off this project, we’ll be deploying our application to the free tier of Microsoft Azure. We’ll be taking most of our cues from Nate Barbettini’s excellent Little ASP.NET Core Book For the purposes of this tutorial, I assume you already have a Microsoft account and are willing to use it to deploy to the cloud.
IMPLEMENT AN OAUTH 2.0 SERVER (PART 18)
Welcome to the eighteenth part of a series of posts where we will implement an OAuth 2 Server using AspNet.Security.OpenIdConnectServer. Rate Limiting - Attribute Creation We left off last section with rate limits being granted to the to clients and tokens at creation time, but we don’t yet have a way to check those limits when they call our API. To do so, we’ll be making an Attribute that we can use to decorate the controllers or methods that we want to be rate limited.
IMPLEMENT AN OAUTH 2.0 SERVER (PART 17)
Rate Limiting - Models and Provider Changes There are any number of different ways to implement rate limits - the approach we will follow is outlined like so: All endpoints under /v1/api are limited, no endpoint is free. All endpoints share a limit. Calling /me 1,999 times, then /albums once will rate limit you on the next call. (Assuming a limit of 2,000 for some timeframe.) Renewing a token counts towards the limit - after all, the token endpoint is underneath /api/v1/.
IMPLEMENT AN OAUTH 2.0 SERVER (PART 16)
Welcome to the sixteenth part of a series of posts where we will implement an OAuth 2 Server using AspNet.Security.OpenIdConnectServer. Token Revocation Token revocation is the process of invalidating already issued tokens. Because tokens are serialized with server data taken at a snapshot in time, there is no way for a token to know whether it’s been invalidated, except for when it comes to its expiration date. Further, there’s no given way for the server to know a token has been revoked either - at least, not without a backing datastore.
IMPLEMENT AN OAUTH 2.0 SERVER (PART 15)
Welcome to the fifteenth part of a series of posts where we will implement an OAuth 2 Server using AspNet.Security.OpenIdConnectServer. Scope Authorization with Policies, Requirements and Handlers Just adding Authorization attributes is insufficient for our purposes - our tokens have scopes associated with them, and our endpoint authorization checks should reflect that. To do so, we will use policies, which you can read about on the Microsoft Docs. Policies are fragments you can add to an authorization attribute that confirm whether a given HttpContext meets the requirements of the attribute, beyond simply being authenticated or not.
IMPLEMENT AN OAUTH 2.0 SERVER (PART 14)
Welcome to the fourteenth part of a series of posts where we will implement an OAuth 2 Server using AspNet.Security.OpenIdConnectServer. Adding OAuth Validation Our server successfully issues the three token types, but we don’t have a way to actually force a token check on our endpoints yet. One of the packages we downloaded initially was AspNet.Security.OAuth.Validation. We’re going to use that to add OAuth Validation to our server. In Startup.cs’s ConfigureServices, add .
IMPLEMENT AN OAUTH 2.0 SERVER (PART 13)
Welcome to the thirteenth part of a series of posts where we will implement an OAuth 2 Server using AspNet.Security.OpenIdConnectServer. Identity, Claims, and Authorization Tickets We’ve been skirting talking about claims and authentication tickets by hiding all of it behind our TicketCounter class. You can get a in-depth overview of what those are over at the Microsoft Docs. Claims are how the ASP.NET team has approached identity and authorization details since about 2016.
IMPLEMENT AN OAUTH 2.0 SERVER (PART 12)
Welcome to the twelfth part of a series of posts where we will implement an OAuth 2 Server using AspNet.Security.OpenIdConnectServer. Authorization Request Accept/Deny View Two of the the three flows we support, Implicit Grant and Authorization Code, are interactive flows - they require that the user be presented with a screen where they can accept or deny the authorization request. As a preview, this is what our auth page will look like: Add the ViewModel Under Models/, add a new folder AuthorizeViewModels/ and add a new AuthorizeViewModel class:
IMPLEMENT AN OAUTH 2.0 SERVER (PART 11)
Welcome to the eleventh part of a series of posts where we will implement an OAuth 2 Server using AspNet.Security.OpenIdConnectServer. Services Our methods thus far have been peppered with a reference to a service named ValidationService. This lightweight class is a service that queries our database. Nothing is preventing us from doing these checks inside the OAuthProvider class itself, but the abstraction lends itself to a cleaner batch of methods.
IMPLEMENT AN OAUTH 2.0 SERVER (PART 10)
Welcome to the tenth part of a series of posts where we will implement an OAuth 2 Server using AspNet.Security.OpenIdConnectServer. Authorization Provider - Token Methods We’re still implementing the Providers/OAuthProvider.cs class we made in the previous section. Here we’re going to deal with the three Token methods we left un-overridden from last time: ValidateTokenRequest, HandleTokenRequest, ApplyTokenResponse. Validate Token Request As a small warning, the validate token request endpoint is one of the longest methods we’ll be implementing.