ASP.NET Identity and client applications

Jan 28, 2014 at 4:14 PM
Edited Jan 28, 2014 at 4:15 PM
Hello ASP.NET Identity team,

I would like to ask if there will be an easy way to support using ASP.NET Identity authentication in client applications (like with Windows Phone 8 and Windows 8.1).

Currently, if I'm not mistaken, we can generate a 14-day access token, that can be used to authenticate, but its lifetime can't be extended, which is not useful for applications that stay logged in and can be used every day for a long period of time.

Secondly - this way I can request just a token for local account, but there seems to be no way to support external authentication flow (Facebook, Twitter) from within the app, other than embedding the website's login form in a WebBrowser control and using some JavaScript trickery to extract the token after the user logs in.

I may be (and probably even am) wrong, but would love to have some light in these issues, before everything gets completely documented :-) .

Thank you very much

Martin Zikmund
Feb 10, 2014 at 9:06 AM
Checking back after a while. Is there someone who knows the answers?

Thank you again

Martin Zikmund
Feb 11, 2014 at 3:32 PM
Hi Martin,

I'm also searching for answers on this - I'm completely new to ASP, and would love to get proper token authentication working.

I think what we're looking for is a way to renew expired tokens without requiring the user to supply their credentials again - this can be done by setting a provider for refresh tokens in the OAuthAuthorizationServerOptions. However, a provider for refresh tokens is not provided by default - you have to write your own. Here's a page I've found describing how one developer has accomplished this;

http://timney.net/oauth-resource-password-flow-refresh-token-with-web-api/

This post, however, describes how to create a refresh token provider along with a custom Authorization Server Provider. I'd like to accomplish the same while still using the default Authorization Server Provider, but it's yet unclear how exactly to accomplish this.

I believe the process involves creating a custom table store (or other store of some sort) for storing refresh tokens generated for each user, and querying that store for the matching token to generate a new authorization token when a renew request is made. These can be implemented via the Create and Receive methods provided by the IAuthenticationTokenProvider interface.

I've yet to actually try this - I'm not sure if this is correct. I'd appreciate if someone more knowledgeable about the process could comment here!

I'll update you if I figure this out.

In the meantime, here's another post I found on the issue:
http://stackoverflow.com/questions/20637674/owin-security-how-to-implement-oauth2-refresh-tokens

Thanks,
Hayden