securing rest api with refresh tokens

Press Ctrl / CMD + C to copy this to your clipboard.

Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

Salahuddin Khan 2 posts 71 karma points

Apr 05, 2017 @ 07:52

Securing REST API with Refresh tokens

Hi,

Is it a good practice to use Umbraco Identity with Refresh token to secure an Umbraco REST API for front-end members?

Custom UmbracoIdentityStartup ConfigureMiddleware method might look like

protected override void ConfigureMiddleware(IAppBuilder app)
{
                //Configure the application for OAuth based flow
                var PublicClientId = "self";
                var OAuthOptions = new OAuthAuthorizationServerOptions
                {
                    TokenEndpointPath = new PathString("/Token"),
                    Provider = new ApplicationOAuthProvider(PublicClientId),
                    AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
                    AccessTokenExpireTimeSpan = TimeSpan.FromDays(30),
                    AuthorizationCodeExpireTimeSpan = TimeSpan.FromHours(3),
                    RefreshTokenProvider = new ApplicationRefreshTokenProvider(),
                    AccessTokenFormat = new ApplicationJwtFormat(ConfigurationManager.AppSettings["AuthURL"]),
                    AllowInsecureHttp = false
                };

                //Enable the application to use bearer tokens to authenticate users
                app.UseOAuthBearerTokens(OAuthOptions);

                //Ensure owin is configured for Umbraco back office authentication. If you have any front-end OWIN
                // cookie configuration, this must be declared after it.
                app
                   .UseUmbracoBackOfficeCookieAuthentication(ApplicationContext, PipelineStage.Authenticate)
                   .UseUmbracoBackOfficeExternalCookieAuthentication(ApplicationContext, PipelineStage.Authenticate);

                // Enable the application to use a cookie to store information for the 
                // signed in user and to use a cookie to temporarily store information 
                // about a user logging in with a third party login provider 
                // Configure the sign in cookie
                app.UseCookieAuthentication(
                    //You can modify these options for any customizations you'd like
                    new FrontEndCookieAuthenticationOptions(),
                    PipelineStage.Authenticate);

                // Uncomment the following lines to enable logging in with third party login providers

                app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
}

I am sure there would be flaws in the practice I am using and there would be a better/best practice available already than the one I am using...

Thanks for your feedback in advance

Copy Link

is working on a reply...

This forum is in read-only mode while we transition to the new forum.

You can continue this topic on the new forum by tapping the "Continue discussion" link below.

Please Sign in or register to post replies