ASP.NET Web Api: How to pass an access token (oAuth 2.0) using URL parameter?
25,397
Solution 1
Well - I agree that the header is a much better alternative - but there are of course situations where the query string is needed. The OAuth2 spec defines it as well.
Anyways - this feature is built into the Katana OAuth2 middleware:
public class QueryStringOAuthBearerProvider : OAuthBearerAuthenticationProvider
{
readonly string _name;
public QueryStringOAuthBearerProvider(string name)
{
_name = name;
}
public override Task RequestToken(OAuthRequestTokenContext context)
{
var value = context.Request.Query.Get(_name);
if (!string.IsNullOrEmpty(value))
{
context.Token = value;
}
return Task.FromResult<object>(null);
}
}
And then:
var options = new JwtBearerAuthenticationOptions
{
AllowedAudiences = new[] { audience },
IssuerSecurityTokenProviders = new[]
{
new SymmetricKeyIssuerSecurityTokenProvider(
issuer,
signingKey)
},
Provider = new QueryStringOAuthBearerProvider(“access_token”)
};
Solution 2
So, go to Global.asax and add this method:
void Application_BeginRequest(object sender, EventArgs e)
{
if (ReferenceEquals(null, HttpContext.Current.Request.Headers["Authorization"]))
{
var token = HttpContext.Current.Request.Params["access_token"];
if (!String.IsNullOrEmpty(token))
{
HttpContext.Current.Request.Headers.Add("Authorization", "Bearer " + token);
}
}
}
UPDATE: Check out @leastprivilege answer. Much better solution.
Related videos on Youtube
Author by
mynkow
Updated on July 18, 2022Comments
-
mynkow almost 2 years
Do you have any idea how I can use, an access_token generated by the default asp.net web api 2 OAuth 2 authorization mechanism, in the url parameters. Currently I am able to authorize successfully by sending a request with Authorization header like this:
Accept: application/json Content-Type: application/json Authorization: Bearer pADKsjwMv927u...
What I want is to enable the authorization through URL parameter like this:
https://www.domain.com/api/MyController?access_token=pADKsjwMv927u...
-
John Saunders over 10 yearsI have edited your title. Please see, "Should questions include “tags” in their titles?", where the consensus is "no, they should not".
-
mynkow over 10 yearsOK, this is new for me.
-
-
Eugenio Pace over 10 yearsActually, query string parameters are protected under SSL. stackoverflow.com/questions/323200/…
-
mynkow over 10 yearsYes, and github api also supports authentication using this method => developer.github.com/v3/#authentication
-
mynkow over 10 yearsNice, much better. Can you please copy and paste the relevant code from the blog post you mentioned so I can mark your response as answer. 10x
-
Darin Dimitrov over 10 yearsI wonder how such a wrong answer can be accepted. Apparently the person that posted this doesn't quite understand how HTTP and SSL work. The token is as much protected in the query string as it is in the HTTP headers. This being said, in general it is better to use the HTTP headers for sending sensitive information instead of query strings to avoid it being logged by web servers.
-
mynkow over 10 yearsYou are right Darine, I do not understand how this works. But you are also wrong because as you can see @leastprivilege will be marked as answer... anyway.