23

Do you have any idea how I can use, an access_token generated by the default asp.net web api 2 OAuth 2 authorization mechanism, in the url parameters. Currently I am able to authorize successfully by sending a request with Authorization header like this:

Accept: application/json
Content-Type: application/json
Authorization: Bearer pADKsjwMv927u...

What I want is to enable the authorization through URL parameter like this:

https://www.domain.com/api/MyController?access_token=pADKsjwMv927u...
Improve this question
2

3 Answers 3

Reset to default
24

Well - I agree that the header is a much better alternative - but there are of course situations where the query string is needed. The OAuth2 spec defines it as well.

Anyways - this feature is built into the Katana OAuth2 middleware:

http://leastprivilege.com/2013/10/31/retrieving-bearer-tokens-from-alternative-locations-in-katanaowin/

public class QueryStringOAuthBearerProvider : OAuthBearerAuthenticationProvider
{
    readonly string _name;

    public QueryStringOAuthBearerProvider(string name)
    {
        _name = name;
    }

    public override Task RequestToken(OAuthRequestTokenContext context)
    {
        var value = context.Request.Query.Get(_name);

        if (!string.IsNullOrEmpty(value))
        {
            context.Token = value;
        }

        return Task.FromResult<object>(null);
    }
}

And then:

var options = new JwtBearerAuthenticationOptions
{
    AllowedAudiences = new[] { audience },
    IssuerSecurityTokenProviders = new[]
        {
            new SymmetricKeyIssuerSecurityTokenProvider(
                issuer,
                signingKey)
        },
    Provider = new QueryStringOAuthBearerProvider(“access_token”)
};
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Nice, much better. Can you please copy and paste the relevant code from the blog post you mentioned so I can mark your response as answer. 10x
11

So, go to Global.asax and add this method:

        void Application_BeginRequest(object sender, EventArgs e)
        {
            if (ReferenceEquals(null, HttpContext.Current.Request.Headers["Authorization"]))
            {
                var token = HttpContext.Current.Request.Params["access_token"];
                if (!String.IsNullOrEmpty(token))
                {
                    HttpContext.Current.Request.Headers.Add("Authorization", "Bearer " + token);
                }
            }
        }

UPDATE: Check out @leastprivilege answer. Much better solution.

Improve this answer

Comments

0

This is a terrible idea because the token is not protected in the query string. It is encrypted in the header with SSL.

Improve this answer

4 Comments

Actually, query string parameters are protected under SSL. stackoverflow.com/questions/323200/…
Yes, and github api also supports authentication using this method => developer.github.com/v3/#authentication
I wonder how such a wrong answer can be accepted. Apparently the person that posted this doesn't quite understand how HTTP and SSL work. The token is as much protected in the query string as it is in the HTTP headers. This being said, in general it is better to use the HTTP headers for sending sensitive information instead of query strings to avoid it being logged by web servers.
You are right Darine, I do not understand how this works. But you are also wrong because as you can see @leastprivilege will be marked as answer... anyway.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.