MVC 5 application - implement OAuth Authorization code flow


Solution 1

I ended up with a solution based on these two articles from Brock Allen:

The fundemental idea is to register two authentication Middlewares. An active Cookie-Authentication and a passive OAuthBearer-Authentication. In Startup.Auth.cs they are added like this:

app.UseCookieAuthentication(new CookieAuthenticationOptions()
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/ExternalLogin/Login"),
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()
    AuthenticationType = DefaultAuthenticationTypes.ExternalBearer,
    AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive,

You also add an ExternalLogin-Controller. Its Login-method has to redirect the user to the Login-page of your Authorization Server to get the authorization code. You have to supply a callback function where you will process the authorization code.

public async Task<ActionResult> Login(string returnUrl)
    if (string.IsNullOrEmpty(returnUrl) && Request.UrlReferrer != null)
        returnUrl = Server.UrlEncode(Request.UrlReferrer.PathAndQuery);

    if (Url.IsLocalUrl(returnUrl) && !string.IsNullOrEmpty(returnUrl))
        _returnUrl = returnUrl;

    //callback function
    _redirectUrl = Url.Action("AuthorizationCodeCallback", "ExternalLogin", null, Request.Url.Scheme);

    Dictionary<string, string> authorizeArgs = null;
    authorizeArgs = new Dictionary<string, string>
        {"client_id", "0123456789"}
        ,{"response_type", "code"}
        ,{"scope", "read"}
        ,{"redirect_uri", _redirectUrl}
        // optional: state

    var content = new FormUrlEncodedContent(authorizeArgs);
    var contentAsString = await content.ReadAsStringAsync();
    return Redirect("http://localhost:64426/oauth/authorize?" + contentAsString);

In your callback-function you exchange the authorization code for an access token (plus refresh token) challenge your passive OAuthBearer-authentication Middleware and signin with the Access token as your Cookie.

public async Task<ActionResult> AuthorizationCodeCallback()
    // received authorization code from authorization server
    string[] codes = Request.Params.GetValues("code");
    var authorizationCode = "";
    if (codes.Length > 0)
        authorizationCode = codes[0];

    // exchange authorization code at authorization server for an access and refresh token
    Dictionary<string, string> post = null;
    post = new Dictionary<string, string>
        {"client_id", "0123456789"}
        ,{"client_secret", "ClientSecret"}
        ,{"grant_type", "authorization_code"}
        ,{"code", authorizationCode}
        ,{"redirect_uri", _redirectUrl}

    var client = new HttpClient();
    var postContent = new FormUrlEncodedContent(post);
    var response = await client.PostAsync("http://localhost:64426/token", postContent);
    var content = await response.Content.ReadAsStringAsync();

    // received tokens from authorization server
    var json = JObject.Parse(content);
    _accessToken = json["access_token"].ToString();
    _authorizationScheme = json["token_type"].ToString();
    _expiresIn = json["expires_in"].ToString();
    if (json["refresh_token"] != null)
        _refreshToken = json["refresh_token"].ToString();

    //SignIn with Token, SignOut and create new identity for SignIn
    Request.Headers.Add("Authorization", _authorizationScheme + " " + _accessToken);
    var ctx = Request.GetOwinContext();
    var authenticateResult = await ctx.Authentication.AuthenticateAsync(DefaultAuthenticationTypes.ExternalBearer);
    var applicationCookieIdentity = new ClaimsIdentity(authenticateResult.Identity.Claims, DefaultAuthenticationTypes.ApplicationCookie);

    var ctxUser = ctx.Authentication.User;
    var user = Request.RequestContext.HttpContext.User;

    //redirect back to the view which required authentication
    string decodedUrl = "";
    if (!string.IsNullOrEmpty(_returnUrl))
        decodedUrl = Server.UrlDecode(_returnUrl);

    if (Url.IsLocalUrl(decodedUrl))
        return Redirect(decodedUrl);
        return RedirectToAction("Index", "Home");

I hope this is useful for someone who is implementing the OAuth authorization code flow in his MVC 5 application.

Solution 2

I used official sample MVC Implicit Client which I believe is the correct authentication flow for MVC application.

For authorization I used this getting started, especially the part about infinite loop when roles are specified [Authorize(Roles = "Foo,Bar")] and user is authenticated but doesn't own any of these.


Related videos on Youtube

Author by


Updated on July 12, 2021


  • MatthiasRamp
    MatthiasRamp almost 3 years

    Based on this tutorial, I have created an Authorization Server, a Resource Server and a MVC Client. The MVC Client has a Controller which gets some data from the Resource Server. The Resource Server requires authentication. The MVC Clients gets an authorization code from the Authorization Server and Redirects the user to the Authorization Server for authentication. Finally the MVC Clients exchanges the authorization code for a Access token to Access the Resource Server. This is the Authorization code flow as described by the OAuth 2 protocol. This works fine.

    Now, I have the requirement to make a Controller of the MVC Client itself require Authentication. I can not find a tutorial for this.

    I added

    app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());

    to my Startup.Auth.cs. I assume, I need to setup the Options to Redirect to the Authorization Server. I can also set the Provider on the Options:

    app.UseOAuthBearerAuthentication(new Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationOptions()
        Provider = new OAuthBearerAuthenticationProvider()

    But I am also stuck on implementing the events of the Provider. Can anybody guide me in the right direction? Or are there any tutorials which might help me?

  • tuespetre
    tuespetre about 9 years
    Thanks for sharing. It's incredibly frustrating to see that there are all these examples out there using the naive UseTwitterAuthentication, UseGoogleAuthentication, etc. but nothing to use a custom OAuth endpoint. You would think that those aforementioned methods would be using some kind of common abstraction...
  • Megamind
    Megamind almost 9 years
    How do you debug var authenticateResult = await ctx.Authentication.AuthenticateAsync(DefaultAuthenticationTy‌​pes.ExternalBearer); ? im getting a null result.
  • jlo-gmail
    jlo-gmail over 7 years
    Megamind-I got this working as far as AuthenticateAsync. It returns null. It returns null.
  • sebastian87
    sebastian87 over 6 years
    I also get a null result in this line: var authenticateResult = await ctx.Authentication.AuthenticateAsync(DefaultAuthenticationTy‌​pes.ExternalBearer); Was sb able to solve this?
  • asif jan
    asif jan almost 3 years
    i need its source code, anyone can please assist me?