Thursday
Feb192009
OAuth on ASP.net MVC Projects
Thursday, February 19, 2009 at 4:32AM
Let me introduce you to a little friend called [OAuth](http://www.oauth.net). OAuth is an open authentication framework designed for use by web service providers allowing you to give access to applications without giving them access to user credentials.
I've been working on an [OAuth library](http://github.com/buildmaster/oauth-mvc.net/tree/master) to turn an ASP.net MVC site into an OAuth Provider (a service that can accept incoming requests from OAuth Consumer applications)
So far it consists of the following:
[OAuthController](http://github.com/buildmaster/oauth-mvc.net/blob/90176cbd3e1f8ccb7893328812b91e28064763d7/Core/OAuth.MVC.Library/Controllers/OAuthController.cs) = has endpoints for RequestToken and AccessToken http requests.
[OAuthSecuredAttribute](http://github.com/buildmaster/oauth-mvc.net/blob/90176cbd3e1f8ccb7893328812b91e28064763d7/Core/OAuth.MVC.Library/Filters/OAuthSecuredAttribute.cs) = is an action filter to stop access to an action if the requester isn't authenticated via OAuth
[OAuthService](http://github.com/buildmaster/oauth-mvc.net/blob/90176cbd3e1f8ccb7893328812b91e28064763d7/Core/OAuth.MVC.Library/OAuthService.cs) = has intermediary services for the attibute and controller for:
* Building an OAuth request (Access, Access Token and Request Token Requests)
* Generating Request Tokens
* Generating Access Tokens
* Getting a saved Request Token
* Authorising a Request Token
[OAuthRequest](http://github.com/buildmaster/oauth-mvc.net/blob/90176cbd3e1f8ccb7893328812b91e28064763d7/Core/OAuth.MVC.Library/OAuthRequest.cs) = is a state wrapper to quickly examine if the current OAuth Request is valid
You are left to your own devices to implement the following:
[IAccessToken](http://github.com/buildmaster/oauth-mvc.net/blob/90176cbd3e1f8ccb7893328812b91e28064763d7/Core/OAuth.MVC.Library/Interfaces/IAccessToken.cs)
[IRequestToken](http://github.com/buildmaster/oauth-mvc.net/blob/90176cbd3e1f8ccb7893328812b91e28064763d7/Core/OAuth.MVC.Library/Interfaces/IRequestToken.cs)= Token objects that need to be saved and have a token string and a secret string also have some other elements
[IConsumer](http://github.com/buildmaster/oauth-mvc.net/blob/90176cbd3e1f8ccb7893328812b91e28064763d7/Core/OAuth.MVC.Library/Interfaces/IConsumer.cs) = contracts for consumers of your service, should be able to return a secret key, a TimeStamp of the last request the consumer made (and integer, see the OAuth Specs), a list of valid request/access tokens, save a nonce for current TimeStamp value, determine weather a nonce is valid (hasn't been used with the current TimeStamp)
[ITokenGenerator](http://github.com/buildmaster/oauth-mvc.net/blob/90176cbd3e1f8ccb7893328812b91e28064763d7/Core/OAuth.MVC.Library/Interfaces/ITokenGenerator.cs) = generate new request and access tokens, setting the secret and token strings
I've used the [OAuthBase](http://oauth.googlecode.com/svn/code/csharp/OAuthBase.cs) class available in the [OAuth sample code](http://oauth.googlecode.com/)
There's a sample project so people can see how it should be used.
So head over to the project and check it out. [oauth-mvc.net](http://github.com/buildmaster/oauth-mvc.net/tree/master)
PS. I'm not saying that MVC is the best way to build services, just that it's the framework I needed to use, [Alex Henderson](http://blog.bittercoder.com/) has done some work on using OAuth with WCF projects
I've been working on an [OAuth library](http://github.com/buildmaster/oauth-mvc.net/tree/master) to turn an ASP.net MVC site into an OAuth Provider (a service that can accept incoming requests from OAuth Consumer applications)
So far it consists of the following:
[OAuthController](http://github.com/buildmaster/oauth-mvc.net/blob/90176cbd3e1f8ccb7893328812b91e28064763d7/Core/OAuth.MVC.Library/Controllers/OAuthController.cs) = has endpoints for RequestToken and AccessToken http requests.
[OAuthSecuredAttribute](http://github.com/buildmaster/oauth-mvc.net/blob/90176cbd3e1f8ccb7893328812b91e28064763d7/Core/OAuth.MVC.Library/Filters/OAuthSecuredAttribute.cs) = is an action filter to stop access to an action if the requester isn't authenticated via OAuth
[OAuthService](http://github.com/buildmaster/oauth-mvc.net/blob/90176cbd3e1f8ccb7893328812b91e28064763d7/Core/OAuth.MVC.Library/OAuthService.cs) = has intermediary services for the attibute and controller for:
* Building an OAuth request (Access, Access Token and Request Token Requests)
* Generating Request Tokens
* Generating Access Tokens
* Getting a saved Request Token
* Authorising a Request Token
[OAuthRequest](http://github.com/buildmaster/oauth-mvc.net/blob/90176cbd3e1f8ccb7893328812b91e28064763d7/Core/OAuth.MVC.Library/OAuthRequest.cs) = is a state wrapper to quickly examine if the current OAuth Request is valid
You are left to your own devices to implement the following:
[IAccessToken](http://github.com/buildmaster/oauth-mvc.net/blob/90176cbd3e1f8ccb7893328812b91e28064763d7/Core/OAuth.MVC.Library/Interfaces/IAccessToken.cs)
[IRequestToken](http://github.com/buildmaster/oauth-mvc.net/blob/90176cbd3e1f8ccb7893328812b91e28064763d7/Core/OAuth.MVC.Library/Interfaces/IRequestToken.cs)= Token objects that need to be saved and have a token string and a secret string also have some other elements
[IConsumer](http://github.com/buildmaster/oauth-mvc.net/blob/90176cbd3e1f8ccb7893328812b91e28064763d7/Core/OAuth.MVC.Library/Interfaces/IConsumer.cs) = contracts for consumers of your service, should be able to return a secret key, a TimeStamp of the last request the consumer made (and integer, see the OAuth Specs), a list of valid request/access tokens, save a nonce for current TimeStamp value, determine weather a nonce is valid (hasn't been used with the current TimeStamp)
[ITokenGenerator](http://github.com/buildmaster/oauth-mvc.net/blob/90176cbd3e1f8ccb7893328812b91e28064763d7/Core/OAuth.MVC.Library/Interfaces/ITokenGenerator.cs) = generate new request and access tokens, setting the secret and token strings
I've used the [OAuthBase](http://oauth.googlecode.com/svn/code/csharp/OAuthBase.cs) class available in the [OAuth sample code](http://oauth.googlecode.com/)
There's a sample project so people can see how it should be used.
So head over to the project and check it out. [oauth-mvc.net](http://github.com/buildmaster/oauth-mvc.net/tree/master)
PS. I'm not saying that MVC is the best way to build services, just that it's the framework I needed to use, [Alex Henderson](http://blog.bittercoder.com/) has done some work on using OAuth with WCF projects
Reader Comments (7)
Do you know if there is a library somewhere for ASP.NET MVC to consume such providers?
So you want to get an http://asp.net" rel="nofollow">asp.net mvc site to connect to an API that is secured
by OAuth? Currently no there isn't such a thing, I would suggest getting
hold of my project and looking at the OAuthBase and how it's used, the
signing is the same on both ends (the server re-enacts the signing process
and then checks that the signatures are equal) that should give you
somewhere to start.
I'm going to write a couple of test client libraries but they're a week or
more away.
O
2009/2/20 Disqus <>
do you know about dotnetopenid library?
http://blog.nerdbank.net/2009/02/dotnetopenid-v30-beta-1-released.html" rel="nofollow">http://blog.nerdbank.net/2009/02/dotnetopenid-v...
I do, but only just realised that it supports OAuth, I'd actually only just recently come accross it to run with openid, I'll take a bigger look at it.
Cheers
Owen
[...] OAuth on ASP.net MVC Projects - Owen Evans shares his work on implementing OAuth authentication on ASP.NET MVC [...]
Different point of view from that post. Interesting to say the least.
Different point of view from that post. Interesting to say the least.