c# - How to get started with OAuth to secure a Web API application? -

i have web api application , i've understood oauth standard security model apis authentication server become responsible generate authorization tokens user can send our server , consume services.

i'm new understand roles involved:

• resource owner
• client
• resource server
• authorization server

but oauth in practice, not in theory? .net library? service provided separate company? can configure on local development machine , see how works?

how started oauth secure web api application?

oauth protocol; current version oauth 2.0. more question, link lists several implementations of protocol in various technologies. use .net web api you're interested in dotnetopenauth provides implementations of both oauth 1 , oauth 2.

i'm using dotnetopenauth in app i'm working on secure .net web api. i've got oauth2handler extends delegatinghandler inserted web api pipeline before incoming requests reach controllers. oauth2handler following:

1. instantiates dotnetopenauth resourceserver
2. calls resourceserver.getprincipal() reads , decrypts access token (issued elsewhere authorizationserver , returns oauthprincipal (in case i'm reading additional data dotnetopenauth implementation allows pass , creating claimsprincipal.)
3. assigning iprincipal containing user information read access token user property of thread , current http context available apicontroller.user property in service controllers: httpcontext.user = thread.currentprincipal = principal;

honestly, getting working (e.g. setting authorization server, resource server, certificates, etc.) isn't trivial. unfortunately there didn't seem guide on dotnetopenauth site. here's few other tasks you'll have ahead of if go route:

• implement iauthorizationserver - interface provided dotnetopenauth allows plug in library , use implementation issue oauth2 access tokens. you'll need implement inoncestore , icryptokeystore did using entityframework context storage.
• configure certificates - authorizationserver , resourceserver each use certificates encrypt/decrypt access token ensuring accessible each other. built custom configuration manage configuration in web.config files of authorization server app , web api services (resource server).
• manage refresh token - when first requesting access token authorization server you'll (depending on configuration) both oauth2 refresh token , access token. services use access token should short-lived. refresh token used more access tokens. refresh token should kept secret (whatever means in scenario). me means refresh token never exposed client-side javascript in web app.

i hope helps give high level idea of how started oauth , .net web api. here's a blog post demonstrating of these steps. this answer gives few more high level details of client side of picture.

(the dotnetopenauth online docs appear down right now... sorry no links them; apparently has happened before).