At my shop we have a couple .NET Web APIs that use OAuth tokens for authentication. Currently, each web API is both authorization and resource server. Users authenticate to all of these APIs using the same credential, but they currently need to authenticate to each API independently.
I am interested in creating a shared authorization server (a la http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/), but I'm getting hung up on claims transformation. It is highly useful to us to be able to add custom claims (specific to the application) to the token that gets issued, along the lines of the following example:
public override Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
/* validate credentials here... */
var identity = new ClaimsIdentity("JWT");
identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim(ClaimTypes.Role, "Manager"));
identity.AddClaim(new Claim(ClaimTypes.Role, "Supervisor"));
var props = new AuthenticationProperties(new Dictionary<string, string>
{
{
"audience", (context.ClientId == null) ? string.Empty : context.ClientId
}
});
var ticket = new AuthenticationTicket(identity, props);
context.Validated(ticket);
return Task.FromResult<object>(null);
}
From what I can see, if I create a common Authorization server, all claims transformation needs to happen there. Does this mean that the resource servers (our different Web APIs) can't add any custom claims to the user's token? Can I add claims specific to the application requesting the token on the Authorization server – or do I need to rig up something so that the authorization server adds certain claims based on the requesting app?
Best Answer
In the past I've had one authentication server that issued tokens. Then the client sent the authentication token to an authorization server with a request of the form:
"The client with this application_id is requesting access for the user defined in the attached authentication token to access content X."
The authorization server checked to make sure the user was authorized and issued a new authorization token to the client. The client then passed this token to the service that provided content X.
The authorization server in this case did need a configuration update to know about new content Y.
You could modify it so the resource servers ask the authorization server to create a token containing attached custom claims.