Observations and insights from the Security PS Team.

OAuth Resource Owner Password Credentials Grant Implementation in WebAPI 2

A few customers have been asking about the proper implementation of an OAuth server using Microsoft's WebAPI 2. I spent some time implementing one (just to be knowledgeable both with OAuth and WebAPI) and struggled to find really good resources for using the OWIN OAuth 2.0 Authorization Server (and middleware). I was able to piece together information from a variety of blogs, forum posts, and other sources, but I realized part way through that there was a need to publish additional information to help others. I have provided the source code for a Visual Studio 2013 Express project implementing the Resource Owner Password Credentials Grant, Refresh Token Grant, and an endpoint for revoking access tokens.

Before you dig into the code, I want to stress that I'm not done! Because of project work and a period of vacation, I will not be able to continue working on it for a month or so. But, I wanted to provide what I had so far. Currently, the code is functional and the example requests and documentation on the Google code page (linked to at the bottom) work. It's ready to be used as a platform to learn on.

I am not a full time developer; I just happen to like writing C# code. That means, I may not have the prettiest, most efficient code. Also, this code may not be secure. I used it to learn with, and yes I considered security requirements while developing it, but I haven't had the chance to review it for security vulnerabilities.

The Google Code Project Home page contains:
  • Request and response examples for each endpoint
  • A sequence diagram showing which methods called on a particular provider
  • A list of top blogs, videos, or other resources I used 
  • A list of all the files I remember modifying when implementing the OAuth server
I hope the following resource helps others learn to write OAuth servers using WebAPI 2:

    Blogger Comment
    Facebook Comment


Post a Comment