Base solution for your next web application
Open Closed

Difference between the current token in abp and OAuth token. #5389


User avatar
0
tteoh created

Hi, I'm using MVC5AJ1.

Now, I'm referencing two articles, which are (<a class="postlink" href="http://www.cnblogs.com/sheng-jie/p/6755187.html#autoid-3-2-0">http://www.cnblogs.com/sheng-jie/p/6755 ... toid-3-2-0</a>) and (<a class="postlink" href="http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/">http://bitoftech.net/2014/06/01/token-b ... -identity/</a>). I'm trying to apply OAuth in abp and use it to receive token. And I'm wondering why the way to receive the current token in ABP and OAuth token are different. And also, I have made a comparison between the current token in ABP and OAuth token as image shown below.

[attachment=1:1br6odl9]Capture.PNG[/attachment:1br6odl9]

  1. Why Abp doesn't has to implement SimpleAuthorizationServerProvider, but OAuth did implemented?
  2. Why the returned results of ABP and OAuth are different?

[attachment=0:1br6odl9]Capture.PNG[/attachment:1br6odl9] 3. I'm wondering what does Protect method does?

return new AjaxResponse(OAuthBearerOptions.AccessTokenFormat.Protect(ticket));
  1. Can OAuth be implemented in ABP and work with existing permission setting in ABP?

Thanks.


21 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    1. The example you show uses Token Based Auth, not Oauth.
    2. ABP wraps the result but since Token Based Auth and Oauth are different, having different result is normal.
    3. It is OWIN's code but as far as I can check, it encrypts and encodes the token.
    4. If you wanto AspNet Zero to act as OAuth server, you can try to integrate Identity Server into your application.
  • User Avatar
    0
    tteoh created

    Hi,

    With reference to both answers 1 and 2, my understanding is AspNetZero just using OWIN to generate access token but it’s not OAuth token implementation.

    Could you point me to some articles that are token based authorization coz google tends to return OAuth. That’s why I complied the table to see the difference.

    My ultimate goal is to extend current token authentication with “Refresh token” so that the mobile app does not need to sign in again. Not necessary had to be OAuth.

    Appreciate your advice.

    Thanks.

  • User Avatar
    0
    tteoh created

    Dear Support,

    Urgently, appreciate Your advise as this will impact a project that we will be undertaking.

    I have checked the standard asp.net web api with individual account (membership), which differs from the way token is generated by aspnetzero.

    Appreciate your inputs on why aspnetzero has a different implementation when it comes to token generation.

    As mentioned earlier, the goal is to implement a Refresh Token mechanism to existing aspnetzero /Authenticate end point.

    Thanks.

  • User Avatar
    0
    ismcagdas created
    Support Team

    @tteoh we are also working on implementing refresh token in AspNet Zero. We don't know how to do it yet. If we can complete it, we can share the results.

    You can use DontWrapResult attribute if you don't want ABP to wrap your result. You can even create a second Action for this because using DontWrapResult attribute in the original Action might break your web app.

  • User Avatar
    0
    alper created
    Support Team

    hi @tteoh

    there's a token refresh procedure in the Xamarin application with the current authentication mechanism. See the code that auto refreshes before the token expires... <a class="postlink" href="https://github.com/aspnetzero/aspnet-zero-core/blob/af4213c936be456c8473234fabba7946e770d783/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Application.Client/ApiClient/AccessTokenManager.cs#L89">https://github.com/aspnetzero/aspnet-ze ... ger.cs#L89</a>

  • User Avatar
    0
    tteoh created

    @ismcagdas We managed to implement OAuth Token based the articles mentioned in the original message. My concern was whether the OAuth token behave the same way as ASPNetZero token when calling Web API/Dynamic Web API being authorized in ASPNetZero. Based on our testing using Postman, both tokens provide the same test result.

    Glad you are considering Refresh Token for ASPNetZero and i presume is not ASPNetZero Core. You might want to check out this article: [http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/]). We are attempting to implement this pattern.

    Wouldn't you consider the Refresh Token of ASPNetZero Core with Xamarin be applied to ASPNetZero?

    Thanks. /Tommy

  • User Avatar
    0
    aaron created
    Support Team

    <cite>tteoh: </cite> Glad you are considering Refresh Token for ASPNetZero and i presume is not ASPNetZero Core.

    As stated in Version Differences:

    new major features will be implemented for ASP.NET Core version (.NET Core & full .NET Framework).

  • User Avatar
    0
    alper created
    Support Team

    Hi,

    How will you implement the 2 factor authentication with OAuth Token based ?

  • User Avatar
    0
    tteoh created

    <cite>aaron: </cite>

    <cite>tteoh: </cite> Glad you are considering Refresh Token for ASPNetZero and i presume is not ASPNetZero Core.

    As stated in Version Differences:

    new major features will be implemented for ASP.NET Core version (.NET Core & full .NET Framework).

    @aaron, thanks for providing the link on the version difference. It certainly helps to understand the differences between .net core and non-core.

    Thanks. /Tommy

  • User Avatar
    0
    tteoh created

    <cite>alper: </cite> Hi,

    How will you implement the 2 factor authentication with OAuth Token based ?

    @alper For now, there is no 2-Factor requirement and we do not foresee in the future too. But mainly on "Refresh Token" to further enhance existing MVC5AJ1 Token-based Authentication to ensure Mobile Client is NOT provided with long-live Access Token but short-live with a Refresh Token. From my research, this is quite a standard practice; however, it's missing from ASPNet Zero at this moment.

    There is still one thing the puzzled me until now despite the explanation given so far. What's the difference between the Access Token generated from ASPNet Zero using "OAuthBearerOptions.AccessTokenFormat.Protect(ticket)" and the one that's being generated based on OAuth that implements an Authentication Provider ("OAuthAuthorizationServerProvider") that uses "GrantResourceOwnerCredentials".

    Especially, how these two tokens are affecting the Roles and Permissions set in ASPNet Zero?

    We successfully implemented OAuth token. Using Postman, the Roles/Permissions assigned to the same user based on endpoints:

    1. ../api/Account/Authenticate
    2. ../token

    Both seems to behave the same way based on simple test cases. We will be very grateful if you have additional sharing.

    We have to continue on with "Refresh Token" that is straining the progress right now.

    Thanks. /Tommy

  • User Avatar
    0
    alper created
    Support Team

    Hi,

    If you have replaced the AspNet Zero's own token mechanism with standard OAuth then it's OK. Because the main reason AspNet Zero has it's own token system is 2FA. If you don't need it then you can go with OAuth.

    By the way,

    OAuthBearerOptions.AccessTokenFormat.Protect(ticket)
    

    encrypts the ticket and it's Microsoft code. <a class="postlink" href="https://github.com/aspnet/AspNetKatana/blob/9f6e09af6bf203744feb5347121fe25f6eec06d8/src/Microsoft.Owin.Security/DataProtection/IDataProtector.cs">https://github.com/aspnet/AspNetKatana/ ... otector.cs</a>

  • User Avatar
    0
    tteoh created

    @alper based on aspnetzero documentation, it only mentions token-based authentication. Could you pls elaborate how 2FA comes into play on this particular use case?

    Do you mean that if I enable 2FA for web login, it will also be activated for token-based login?

    Thanks for the confirmation on OAuth token replacing aspnetzero token.

    Thanks, /tommy

  • User Avatar
    0
    tteoh created

    <cite>tteoh: </cite> @alper based on aspnetzero documentation, it only mentions token-based authentication. Could you pls elaborate how 2FA comes into play on this particular use case?

    Do you mean that if I enable 2FA for web login, it will also be activated for token-based login?

    Thanks for the confirmation on OAuth token replacing aspnetzero token.

    Thanks, /tommy

    @alper could you pls clarify relation between the 2FA and token based authentication of current aspnetzero behavior?

    Thanks. /tommy

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @tteoh,

    Authentication terminology is confusing most of the time. I suggest you to read about those on the web.

    Basically AspNet Zero's Angular application uses token based auth. You can also enable 2FA in AspNet Zero. You can check 2FA on tihs document <a class="postlink" href="https://aspnetzero.com/Documents/Development-Guide-Angular#two-factor-login">https://aspnetzero.com/Documents/Develo ... ctor-login</a>.

    But don't forget that, AspNet Zero doesn't use OAuth internally.

  • User Avatar
    0
    tteoh created

    @ismcagdas thank you for the responses. Fully noted that aspnetzero does not use OAuth token.

    For 2FA in aspnetzero, I presume the implementation is only works for web login. Enabling it has no effect to token based login. Right?

    Thanks /tommy

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    Actually 2FA is implemented in Token auth as well, see <a class="postlink" href="https://github.com/aspnetzero/aspnet-zero-core/blob/dev/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Web.Core/Controllers/TokenAuthController.cs#L136">https://github.com/aspnetzero/aspnet-ze ... er.cs#L136</a>.

    You can check angular app to see how it works. If a 2FA token is required, API returns RequiresTwoFactorVerification = true. Then, user need to pass TwoFactorVerificationCode (<a class="postlink" href="https://github.com/aspnetzero/aspnet-zero-core/blob/dev/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Web.Core/Models/TokenAuth/AuthenticateModel.cs#L18">https://github.com/aspnetzero/aspnet-ze ... del.cs#L18</a>) to TokenAuthController's Authenticate action again.

  • User Avatar
    0
    tteoh created

    <cite>ismcagdas: </cite> Hi,

    Actually 2FA is implemented in Token auth as well, see <a class="postlink" href="https://github.com/aspnetzero/aspnet-zero-core/blob/dev/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Web.Core/Controllers/TokenAuthController.cs#L136">https://github.com/aspnetzero/aspnet-ze ... er.cs#L136</a>.

    You can check angular app to see how it works. If a 2FA token is required, API returns RequiresTwoFactorVerification = true. Then, user need to pass TwoFactorVerificationCode (<a class="postlink" href="https://github.com/aspnetzero/aspnet-zero-core/blob/dev/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Web.Core/Models/TokenAuth/AuthenticateModel.cs#L18">https://github.com/aspnetzero/aspnet-ze ... del.cs#L18</a>) to TokenAuthController's Authenticate action again.

    @ismcagdas the link you provided on the implementation is on aspnetzero core template but for our case, we are using non-core template.

    We ended up requiring to implement 2FA by leveraging on the libraries provided by Identity Framework. Taking the 2FA for the web login as reference and reimplement UserDeviceManager and MobileSignInManager under the WebApi project.

    Thanks. /tommy

  • User Avatar
    0
    tteoh created

    <cite>alper: </cite> Hi,

    How will you implement the 2 factor authentication with OAuth Token based ?

    @alper need to retract my previous comment that 2FA was not needed. We ended up having to implement 2FA adopting the approach implemented in ANZ (non-core) under WebApi project.

    Just something that we discovered was the 2FA token digit is hard coded to 6 and expiry time to 3 mins.

    We have to build custom table to handle expiration.

    We also realized the existing codes reference to 2FA cookies. Shall we be concerned about this?

    Thanks /tommy

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    We also realized the existing codes reference to 2FA cookies. Shall we be concerned about this?

    Why do you think this could create a problem ? I can't think of a problem.

  • User Avatar
    0
    tteoh created

    <cite>ismcagdas: </cite> Hi,

    We also realized the existing codes reference to 2FA cookies. Shall we be concerned about this?

    Why do you think this could create a problem ? I can't think of a problem.

    @ismcagdas we took the 2FA for the web client and made it work with mobile client. Cookies only used by web browser from understanding. Perhaps, I wrongly understood this.

    Through the conversation, glad to know 2FA is supported for mobile for aspnetzero core template.

    We didn’t use the aspnetzero core template that already shipped with xamarin due to learning curve on .net core and angular, the new development approach. Hope we r able to make the transition next year.

    Thanks. /tommy

  • User Avatar
    0
    ismcagdas created
    Support Team

    Thanks :)