OWIN OAuth Components in ASP.NET MVC Application | ASP.NET MVC Tutorial | ASP.NET MVC Application

OAuth middleware consists of several components that work together to complete the OAuth process. The following classes are used to configure and register the middleware, instantiate the provider, and handle authentication. Each component is described below in the order they are required by the authentication process.


An authentication extensions class is used to create an API used for registering the middleware with the OWIN pipeline. The class Custom AuthenticationExtensions extends the IAppBuilder by providing a UseCustomAuthentication method. The U seCustom Authentication method gives other developers an easy to use API for initializing the middleware and its options while registering the middleware with Katana.


CustomAuthentication Options specifies configuration for the authentication process and objects used throughout the authentication process. This includes service endpoints and API parameters such as client ID and client secret. CustomAuthentication Options inherits from the AuthenticationOptions base class. The authentication options associated with a custom middleware are often referenced by other components asTOptions .


CustomAuthenticationMiddleware inherits from AuthenticationMiddleware < TOptions > where TOptions isCustomAuthenticationOptions CustomAuthenticationMiddleware initializes theCustomAuthenticationProvider , CustomAuthenticationHandler , and ILogger <CustomAuthenticationMiddleware > The AuthenticationMiddleware itself is rather sparse because most of the work has been abstracted away into the AuthenticationHandler .


Custom AuthenticationProvider specifies the delegates that are called during authentication. OnAuthenticatedis invoked when a user is successfully authenticated. OnReturnEndpoint , is invoked before the ClaimsIdentity is saved and the browser redirects to the originally requested URL.

Authenticated Context

CustomAuthenticationContenxt inherits from BaseContext . The AuthenticationContext receives and parses the user information retrieved from the authentication service. The AuthenticationContext properties contain the login session information as well as details about the user that logged in including the ClaimsIdentity andAuthenticationProperties .


CustomReturnEndpointContext inherits from ReturnEndpointContext ReturnEndpointContext provides information about the OWIN context and holds the authentication ticket information.


The CustomAuthenticationHandler is responsible for the bulk of the authentication process.CustomAuthenticationHandler inherits from AuthenticationHandler < CustomAuthenticationOptions > and has three methods that need to be overridden: AuthenticateCoreAsync ApplyResponseChallengeAsync andInvokeAsync .


This method is invoked during an HTTP response. The method will look for a response that requires authentication (401 unauthorized) and a matching authentication type. When this criteria is met the method will be responsible for creating the CSFR token and redirecting the browser to the authentication endpoint.


The InvokeAsync method is used to detect a callback request from the authentication service. InvokeAsync will check the request for a path that matches callback path (ex: /signin-facebook). When the callback path is detected the method will invoke AuthenticateAsyncCore via AuthenticateAsnyc Once AuthenticateAsyncCore is complete the method will create a ReturnEndpointContext , grant the ClaimsIdentity and complete the request by redirecting to the application’s ExternalLoginCallback action.


AuthenticateCoreAsync performs several tasks. The method will validate the CSRF token insuring the security of the request. Next, the access token is request from the authentication service and if needed a second request is made for additional user information. Once the user’s information is collected the authentication context andClaimsIdentity are generated. Finally, the OnAuthenticated method is called and given theAuthenticationContext .