OAuthAuthorizationServerProvider: validate client bearer token

Question

I was able to generate a token by validating the incoming username and password. In startup.cs I have this

public class Startup

{

    public void Configuration(IAppBuilder app)
    {
        app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);

        OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
        {
            AllowInsecureHttp = true,
            TokenEndpointPath = new PathString("/api/token"),
            AccessTokenExpireTimeSpan = TimeSpan.FromDays(100),
            Provider = new MYAuthorizationServerProvider(),
            AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active
        };

        // Token Generation
        app.UseOAuthAuthorizationServer(OAuthServerOptions);
        app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()
        {
            Provider = new OAuthBearerAuthenticationProvider()
        });

        HttpConfiguration config = new HttpConfiguration();
        WebApiConfig.Register(config);
    }

}

In MyAuthorizationsServiceProvider I have

public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
        {

        var identity = new ClaimsIdentity(context.Options.AuthenticationType);
        var userServices = new UserService();
        var user = await userServices.ValidateUser(context.UserName, context.Password);

        if (user == null)
        {
            context.SetError("invalid_grant", "Provided username and password is incorrect");
            return;
        }
        else
        {

            identity.AddClaim(new Claim(ClaimTypes.Role, "Admin"));
            identity.AddClaim(new Claim("username", user.UserName));
            identity.AddClaim(new Claim(ClaimTypes.Name, user.UserName));
            context.Validated(identity);
        }

    }

This is all good until now. I have a controller which is accessible only by Admin role and it works fine for the token generated.

Now let's assume that I have stripped off the user role in the backend for that specific user or deactivated the user. Now the token should not work for that specific controller or invalidate the authentication as the user is deactivated. How does the Oauth know the back end change and how does it validate?

If someone could provide an answer with some example that would be really helpful.

I also have public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context) but for some reason this does not fire up.

Answer 1

How does the Oauth know the back end change and how does it validate?

It will only verify the username and password against the backend when the user signs in. After that the principal and claims are set from the token that the client passes along with the request.

One option is to create a custom authorized filter which validates the user against the backend in every request but that is not recommended as that would be very costly in request time.

A better option would be to set the valid time on the token to a lower number than 100 days AccessTokenExpireTimeSpan = TimeSpan.FromDays(1), and add an RefreshTokenProvider to the OAuthAuthorizationServer. Then in that provider revalidate the user against the backend. You could read here about how to implement a refresh provider