Hi Taiseer,
i was going through you great article about refresh tokens i have one question.

In // POST api/Account/RegisterExternal you use [AllowAnonymous] instead of [OverrideAuthentication] and [HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)]

    [Route("RegisterExternal")]
    public async Task<IHttpActionResult> RegisterExternal(RegisterExternalBindingModel model)

is it just a simplification for demo purpose (auth interceptor you have to be extended to make use of external token) or you don't think this is required here?

AccountController ~line 270

 if (!string.Equals(client.AllowedOrigin, redirectUri.GetLeftPart(UriPartial.Authority), StringComparison.OrdinalIgnoreCase))

This line does not match origin of * to any origin as string.Equals doe not account for regex.

Maybe something more like

Regex allowOriginRegex = new Regex(client.AllowedOrigin, RegexOptions.IgnoreCase);
if (!string.Equals(client.AllowedOrigin, redirectUri.GetLeftPart(UriPartial.Authority), StringComparison.OrdinalIgnoreCase) || allowOriginRegex.match( redirectUri.GetLeftPart(UriPartial.Authority))

First thaks a lot for the articles and this repo, this really helped me to get with Owin.Security.OAuth2 which unfortuanately lacks decent examples or even comments on MSDN. So I really appeciate the job you did!

While reviewing the code I had came across a few questions:

1. overriding TokenEndpoint seems to be unecessary could it be safely ommited?
2. Minor thing in SimpleAuthorizationServerProvider.ValidateClientAuthentication which made me to look inside Owin packages source code to understand why you first resolve clientId and than simply use context.ClientId? It seems like context.ClientId is available within whole method, but actually it would be populated indirectly only in TryGetFormCredentials/TryGetBasicCredentials methods so using local clientId would be less confusing in terms of code readability IMHO.
3. Why would you want to persist AuthorizationTicket to database. I've noticed that there is a bit of workaround before creating new refresh tokens in CreateAsync when Ticket.Properties.ExpiresUtc and Ticket.Properties.IssuedUtc are set. Woudn't it be easier if we can factor out common logic for issuing tikets and reuse it in GrantResourceOwnerCredentials and ReceiveAsync?
4. In GrantResourceOwnerCredentials() why are you storing "as:client_Id" and "userName" inside ticket which would be sent through http with every single request to Resource Server and persisted into database? Why not use IOwinContext.Set instead the same way you were storing ""as:clientAllowedOrigin""? And btw, why would you want to use "as:" prefix for most of your keys?

Any chance you could add a Windows 8.1 app client?

if i reduce the browser window dimensions, i can see the button responsible to show the navigation menu, but on click it doesn't work.
I added the bootstrap.js to the page but it's still not working.
How can i resolve this issue?

thanks in advance
emanuele

Hi there, I used this code https://github.com/VahidN/AspNetIdentityDependencyInjectionSample to seprate ApplicationUserManager from UI and define it in service layer and after that inject it in UI.
but the problem is when i change the password of a user, the current password will be change in db to the new password(I sure becuase if you change it again with old one you will get the error:"Incorrect passsword") but user can login with old password !!!
I so confused.
please help me and check the sample code in this issuue: VahidN/AspNetIdentityDependencyInjectionSample#9

Hello,

I've been using this to authenticate users into my application, but would now like to enable 3rd-party integrations. Can this functionality be somehow modified to create API keys, so the request would get authorized either by an access token or an API key?

After downloading the project I adjusted the Web.config to connect to a local database and changed "serviceBase" to my localhost address. After which I was able to load up the application and sign up a new user account. I checked my database and it builds the tables and I am able to login but if I try to login with refresh token active it gives me an empty error below the login button.

I am able to authenticate and get a token with PostMan but not with the WebApp. Checked the console for errors and found "XMLHttpRequest cannot load http://localhost:26264/token. The 'Access-Control-Allow-Origin' header has a value 'http://ngauthenticationweb.azurewebsites.net' that is not equal to the supplied origin. Origin 'http://localhost:32150' is therefore not allowed access."

I updated the "BuildClientsList' under Configuration.cs to include my local address (http://localhost:32150) instead of http://ngauthenticationweb.azurewebsites.net and rebuilt but I am still getting the same error.

Maybe I got something wrong but I didn't find the point where the user name of the loaded refresh token is checked. The only thing which is checked is the client id.

You don't need an access token to create a new access token via refresh token.
So if someone else manages to get your refresh token id, they will always be able to issue a new access token in your name.

Shouldn't the refresh token challenge at least be protected by a (potentially expired, but at least validated) access token so that we can compare the username of the access token to the username of the refresh token object?

Is this a security issue or am I missing something?

API project gives HTTP Error 403.14 - Forbidden while loading

I wanted to take a moment to thank you and congratulate you on this repository. I am still digesting it completely in my spare time (not a lot of that I am afraid). I especially liked the AngularJS module Run command to start up a service without a inject into a controller. Since I am relatively new to AngularJS this really is a handy little tidbit of code.
I am curious as to why you did not use a Service vs Factory concept here? It would appear that you want a Singleton pattern and the config would be more Angular I think with the service.
I realize that this is not really an issue, but I could not find a discussion link to add this comment. In any event, good luck with the project and nice starting point for those of us learning Microsoft.Owin.Security. I will continue following your twitter conversations.

Encountering Cors Error when deployed to local iis. Any Idea on getting this nailed down? I understand that it app.UseCors(CorsOptions.AllowAll) is set.. However still I am getting Cors Error.

I'm going through this walkthrough, and I've run into a snag on step nine. On the line that containts the code:

Provider = new SimpleAuthorizationServerProvider()

I'm getting an error "Cannot implicitly convert type 'AngularJSAuthentication.API.Providers.SimpleAuthorizationServerProvider' to 'Microsoft.Owin.Security.OAuth.IOAuthAuthorizationServerProvider'". I copied the code directly from this repo, but am still getting this error message.

Title says it all- under what license do you distribute your code, and what are the licenses for the included code?

Hi,

I don't see any controller action that handles the post request in the authentication service for the _login method.

Can anyone help me figuring this one out?

Thx!

I build the application successfully and it works with me, just a question for the refresh token, i can obtain the refresh token when i login normally, when i login as facebook user i get obtain the access token, the question is can i obtain access token and refresh token at the same time when i login as facebook?

Hi and thanks for this great repo and tutorial.

It would be really nice to see how this repo would fit into ASP.Net 5 and MVC 6. Any change you could make that happen since it is now in RC1?

Hi,

I have writtern wrapper for Restsharp that calls my api controller automatically passing the token and, in case of a 401 response, call the refresh token endpoint.

If i call multiple time per seconds the api, could I get errors because the refresh of the token is not yet completed (done in the CreateAsyncmethod ) but I no longer have the previous (expired token), since it's deleted on the ReceiveAsyncmethod?

I see that a new ResourceServer project has been added. However, I don't see that it's being called from the client application (AngularJSAuthentication.Web). Is it because it just hasn't been hooked up yet?

I have downloaded the above code and update facebook appid, appsecret etc. I am trying to
login with facebook but it throw an error after facebook login

<Error>
<Message>access_denied</Message>
</Error>

As angularjs is a client-based application, is it safe to save refresh_token locally?
In this project, the access_token and refresh_token are saved in the localStorage.

is there a reason why the FacebookAuthProvider and the GoogleAuthProvider are not implemented the same way?

The Facebook provider derives from the FacebookAuthenticationProvider class while the Google provider implements the IGoogleOAuth2AuthenticationProvider interface...which way is better?

Cheers :)

Hi Team, When I try to debug Katana source along with application - there are many build erros :(
Most notorious one is Microsoft.IOwinContext does not have extension method Authentication. Authentication method exists in the code and also says it requires 2.0.* version.

Did you guys have any clue on such errors, similar ones.. appreciate any links towards the issue.

thanks

Hi
I set value 1700 to the field "RefreshTokenLifeTime" and modify "AccessTokenExpireTimeSpan" to a minute.
as below image

I testing the web and every minute it will require a refreshing token.Does it correct?

if API is pointed to a Virtual directory, app.js controller were not firing because of lack of ./

I am trying to test the User Refresh Tokens option, both in the sample hosted application and locally on my machine, but both just display the red error box without an error message upon clicking Login. Is there something that I am missing or is this broken? Thanks!