Skip to content
This repository has been archived by the owner. It is now read-only.

Port OAuth Authorization Server from Katana #83

Closed
tugberkugurlu opened this issue Oct 26, 2014 · 20 comments

Comments

Projects
None yet
10 participants
@tugberkugurlu
Copy link
Member

commented Oct 26, 2014

I saw the discussion about this on #39. @Tratcher suggested to open up a new issue for this and here it is 馃槃

I personally want to see OAuthAuthorizationServerMiddleware ported here because of my selfish reasons 馃槃 as I used this inside a project which we consider porting over to vNext. I also see questions, feedback, etc. for OAuthAuthorizationServerMiddleware which indicates that it's being used.

However, I agree with @leastprivilege here. It should live inside its own world.

@PinpointTownes

This comment has been minimized.

Copy link
Contributor

commented Oct 26, 2014

For reference, here's my opinion regarding this port: #39 (comment) 馃憤

@tugberkugurlu FYI, I just ported OpenIdConnectServerMiddleware - a fork of the Katana OAuth2 authorization server - to vNext: https://github.com/AspNet-OpenIdConnect-Server/Owin.Security.OpenIdConnect.Server/tree/vNext.

You can't target aspnetcore50 (mainly because the JWT stuff has not been ported yet: #40), but aspnet50 is fully supported and I've updated the MVC sample to use MVC 6. If you give it a try, please don't hesitate to share your feedback 馃樃

Edit: you can now find it on MyGet: https://www.myget.org/F/aspnet-openidconnect-server/

@Tratcher

This comment has been minimized.

Copy link
Member

commented Nov 4, 2014

Here's some feedback that came up in an offline discussion with @leastprivilege:

  • One trouble with the existing implementation is that it tries to expose the entire OAuth spec. Only a few flows were easy to use and the others cause you to very quickly get lost.
  • Consider breaking the server down into separate middleware that implement very specific flows. This way a developer only sees and configures the parts they care about.
@PinpointTownes

This comment has been minimized.

Copy link
Contributor

commented Nov 5, 2014

In my humble opinion, the low-level (and complete) approach offered by the OAuth2 server built in Katana is probably its greatest feature... you can do virtually anything in a few lines of code 馃槃
I personally feel far more comfortable with the unique IOAuthAuthorizationServerProvider interface than with the dozens of interfaces used by IdSrv.

Honestly, having 4 flows supported OTB (via GrantAuthorizationCode, GrantRefreshToken, GrantResourceOwnerCredentials and GrantClientCredentials) and 1 hook for custom flows (via GrantCustomExtension) is not what I'd call infernal 馃槃

I have the firm conviction that you shouldn't try to compete with IdSrv, they just don't serve the same purposes and the same targets.

@PinpointTownes

This comment has been minimized.

Copy link
Contributor

commented Nov 15, 2014

FYI, @Tratcher said yesterday on #aspnetvnext that they were not "planning on [porting OAuthAuthorizationServerMiddleware]" and that they preferred "referring people to Thinktecture".

Not surprising but a bit sad 馃槶

@Tratcher

This comment has been minimized.

Copy link
Member

commented Nov 15, 2014

We still need to do the due diligence to demonstrate that Thinktecture adequately fulfills the needed scenarios.

@Suchiman

This comment has been minimized.

Copy link

commented Dec 7, 2014

It's very community driven to see about everyone preferring OAuthAuthorizationServerMiddleware but just ignoring it ;)

Let's see how many versions it takes until vNext is useable again apart from samples.

@cleftheris

This comment has been minimized.

Copy link

commented May 13, 2015

@Tratcher IMHO IdentityServer v3 fills all the nedded scenarios plus more. You can opt out of an advanced configuration if one is not deeded. BUT there is no indication that the project has even started to port to a aspnet core compatible version. That said we need something to work with until this happens.

@PinpointTownes

This comment has been minimized.

Copy link
Contributor

commented May 13, 2015

@cleftheris you should give AspNet.Security.OpenIdConnect.Server (https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server) a try, it now fully supports dnxcore50 馃槃

@cleftheris

This comment has been minimized.

Copy link

commented May 13, 2015

@PinpointTownes I am already on this track. Having a bit of a trouble managing all the dependency chaos of beta5* (Abstractions/interfaces stuff) plus the shortcomings of the EF7 current status. But will eventually make it work.

@leastprivilege

This comment has been minimized.

Copy link
Contributor

commented May 13, 2015

No we haven't started porting to CoreClr - don't see the need for that right now. It runs fine in ASP.NET 5 DNX451 and Mono.

On related news - IdentityServer3 is as of today a fully certified OpenID Connect implementation. So it depends on where your priorities are.

http://openid.net/certification/

@alikor

This comment has been minimized.

Copy link

commented May 13, 2015

DNX451 will not work on the Microsoft Nano Server or within a docker
container or even run on a mac/linux box so i can see a very strong reason
to port the application

On Wed, May 13, 2015 at 2:16 PM, Dominick Baier notifications@github.com
wrote:

No we haven't started porting to CoreClr - don't see the need for that
right now. It runs fine in ASP.NET 5 DNX451 and Mono.

On related news - IdentityServer3 is as of today a fully certified OpenID
Connect implementation. So it depends on where your priorities are.

http://openid.net/certification/


Reply to this email directly or view it on GitHub
#83 (comment).

@leastprivilege

This comment has been minimized.

Copy link
Contributor

commented May 13, 2015

It runs fine on Mac/Linux using Mono.

But yeah - we will port at some point. That's not the question.

@Eilon Eilon added the enhancement label Jun 25, 2015

@Eilon Eilon added this to the 1.0.0 backlog milestone Jun 25, 2015

@eqbalsajadi

This comment has been minimized.

Copy link

commented Jul 14, 2015

Hi guys,

How to login to ASP.NET 5 Web Api by WebClient class in a .NetFramework 2 Windows Forms?
I have already done that for ASP.NET 4.5 using this article http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
But don't know how to do it for ASP.NET 5. It seems Authorization Server is not supported by it.
Is there any alternative? In a nut shell, what is your solution to secure an ASP.NET 5 Web Api that is used by third party clients such as mobile or windows application?

Please help

@Xacron

This comment has been minimized.

Copy link

commented Sep 21, 2015

For anyone still looking for the original OAuth Authorization Server in ASP.NET 5, I have ported the code and the original sample here:
https://github.com/XacronDevelopment/oauth-aspnet

The port includes backwards compatibility to allow ASP.NET 4.x resource servers to read the access tokens created by the authorization server.

The nuget packages are here:
https://www.nuget.org/packages/OAuth.AspNet.AuthServer
https://www.nuget.org/packages/OAuth.AspNet.Tokens
https://www.nuget.org/packages/OAuth.Owin.Tokens

@eqbalsajadi

This comment has been minimized.

Copy link

commented Sep 21, 2015

Thank you.
On Sep 21, 2015 5:54 PM, "Xacron" notifications@github.com wrote:

For anyone still looking for the original OAuth Authorization Server in
ASP.NET 5, I have ported the code and the original sample here:
https://github.com/XacronDevelopment/oauth-aspnet

The port includes backwards compatibility to allow ASP.NET 4.x resource
servers to read the access tokens created by the authorization server.

The nuget packages are here:
https://www.nuget.org/packages/OAuth.AspNet.AuthServer
https://www.nuget.org/packages/OAuth.AspNet.Tokens
https://www.nuget.org/packages/OAuth.Owin.Tokens


Reply to this email directly or view it on GitHub
#83 (comment).

@Xacron

This comment has been minimized.

Copy link

commented Sep 21, 2015

I'm updating the source and packages now to remove explicit references to Microsoft.Framework.NotNullAttribute.Sources(Internal)

@Eilon Eilon modified the milestones: Backlog, 1.0.0 backlog Sep 24, 2015

@leastprivilege

This comment has been minimized.

Copy link
Contributor

commented Dec 23, 2015

Since this issue gets referenced every time somebody asks about token issuance in ASP.NET 5 - here's a small walkthrough how to do it with identityserver:

http://leastprivilege.com/2015/07/22/the-state-of-security-in-asp-net-5-and-mvc-6-oauth-2-0-openid-connect-and-identityserver/

@Eilon

This comment has been minimized.

Copy link
Member

commented May 11, 2017

Closing because there are no plans to do this specific feature.

@Eilon Eilon closed this May 11, 2017

@PinpointTownes

This comment has been minimized.

Copy link
Contributor

commented May 11, 2017

@Eilon it's worth noting that community projects are now listed here: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/community (people looking for the same low level experience as with the OAuth2 authorization server middleware shipped with Katana should probably try ASOS).

@Eilon

This comment has been minimized.

Copy link
Member

commented May 11, 2017

Ah, of course! I added a link to that doc from the readme as well: https://github.com/aspnet/Security/blob/dev/README.md

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can鈥檛 perform that action at this time.