Skip to content
This repository has been archived by the owner on Dec 13, 2018. It is now read-only.

Microsoft.Owin.Security.OAuth Version=3.0.0 Tokens support #1592

Closed
blowdart opened this issue Jan 4, 2018 · 4 comments
Closed

Microsoft.Owin.Security.OAuth Version=3.0.0 Tokens support #1592

blowdart opened this issue Jan 4, 2018 · 4 comments

Comments

@blowdart
Copy link
Member

blowdart commented Jan 4, 2018

From @horbel on January 4, 2018 9:56

Hi all. I have Authorization server which built on .NET 4.5.1 and use Microsoft.Owin.Security.OAuth Version=3.0.0
http://prntscr.com/hvwhl4
Tokens protected via machinkey (OAuthAuthorizationServerOptions.AccessTokenFormat is null). I also have few application-consumers(resource servers) on .NET 4.5.1 which validate these tokens via custom AuthorizeAttribute (System.Web.Http Version=5.2.3.0) http://prntscr.com/hvwwdu http://prntscr.com/hvwiwr . I also can read claims from token using this attribute. All these applications have the same machinkey in web.config

Now I try to build .net core 2.0 application and I need to use the same tokens from my Auth server(.net 4.5.1 owin 3.0.0). How can I validate and read claims from Microsoft.Owin.Security.OAuth(3.0.0) tokens in .net core 2.0?

Copied from original issue: aspnet/Identity#1553
@blowdart
Copy link
Member Author

blowdart commented Jan 4, 2018

From @horbel on January 4, 2018 17:14

I think I find a kind of solution. I use AspNet.Security.OAuth.Validation assembly: http://prntscr.com/hw1u5m

But I still don't find out how to use machine key to "decode" bearer token from my Auth server

@blowdart blowdart mentioned this issue Jan 4, 2018
Closed
@Eilon
Copy link
Member

Eilon commented Jan 11, 2018

Closing because there are no plans to support this. You can use a 3rd party token server such as Identity Server to issue tokens that work with both systems. Or, you can write custom code for ASP.NET Core to handle the OWIN/Katana-style tokens.

@Eilon Eilon closed this as completed Jan 11, 2018
@NetTecture
Copy link

As someone in a similar situation and workint for a customer that has to approove code changes with budgets: Thanks to tell me to fuck off because you don't care about compability. Now I have 2 choices: Write MORE code using Owin.SecurityOauth (and drop dotnet core for some time), or go through the whole nightmare of trying to get a budget to replace that part of the system. Not that I won't get it - ine likely 2-3 months, which means.... not using dotnetcore. WELL DONE.

There was a time, Microsoft cared about comptability. Obviously not anymore.

Seriously, there are many shops out there that followed past guidance and you just tell them to bugger off. You just broke compatibility.

@jake-brandt
Copy link

Dropping this here for anyone coming along this thread. Certainly not the only solution; but one of the more OEM ones:

https://long2know.com/2017/05/sharing-cookies-and-tokens-between-owin-and-net-core/

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Eilon @blowdart @NetTecture @jake-brandt