存储 owin oauth 不记名令牌

Question

I am creating a simple authentication server using the default owin oauth server. After supplying the correct credentials a bearer token is generated and returned to the client. I used among others this tutorial by Taiseer

I would like to store the token in a database before the token is send to the client. Maybe I completely overlooked it, but where can I get the token before it is send? As far as I know the token is generated after the ticket is validated in the GrantResourceOwnerCredentials method. I am guessing the token is stored in the context. How can I get it out?

Startup.cs

private void ConfigureAuthServer(IAppBuilder app) {
  // Configure the application for OAuth based flow
  var oAuthServerOptions = new OAuthAuthorizationServerOptions {
    //For Dev enviroment only (on production should be AllowInsecureHttp = false)
    AllowInsecureHttp = true,
    TokenEndpointPath = new PathString("/oauth/token"),
    Provider = new ApplicationOAuthProvider(),
    AccessTokenExpireTimeSpan = TimeSpan.FromDays(14)
  };

  // Enable the application to use bearer tokens to authenticate users
  app.UseOAuthAuthorizationServer(oAuthServerOptions);
  app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
}

ApplicationOAuthProvider

public override Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) {
  //Dummy check here
  if (context.UserName != context.Password) {
    context.SetError("invalid_grant", "The user name or password is incorrect");
    return Task.FromResult<object>(null);
  }

  var claims = new List<Claim> {
    new Claim(ClaimTypes.NameIdentifier, context.UserName),
    new Claim(ClaimTypes.Name, context.UserName)
  };

  var oAuthIdentity = new ClaimsIdentity(claims, OAuthDefaults.AuthenticationType);

  AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, new AuthenticationProperties());
  context.Validated(ticket);
  return Task.FromResult<object>(null);
}

public override Task TokenEndpoint(OAuthTokenEndpointContext context) {
  foreach (KeyValuePair<string, string> property in context.Properties.Dictionary) {
    context.AdditionalResponseParameters.Add(property.Key, property.Value);
  }

  return Task.FromResult<object>(null);
}

Note: for those who wonder why I want to store the tokens.. it is a requirement I have to fulfill.

Answer 1

To fetch the token before it is sent to the client you must override TokenEndpointResponse :

public override Task TokenEndpointResponse(OAuthTokenEndpointResponseContext context)
{
    return base.TokenEndpointResponse(context);
}

the context object has a property AccessToken which will contains the representation of the token as a string.

OAuthTokenEndpointResponseContext contains a dictionary of objects
IDictionary<string, object> in AdditionalResponseParameters which allows us to find all the claims for the indentity.

If we wanted to fetch the expiration of the token we would find the claim .expires in the dictionary:

context.AdditionalResponseParameters[".expires"]

There's a github repository if someone is interested to play with a simple integration of client and server interaction.