Retrieve bearer token in ASP.NET WebAPI

Solution 1

I do not recommend going with this approach if you have only one client who will talk to your API, my understanding that you need to issue a very very long lived access token maybe for a year and keep using this token to access the back-end API, right? What you will do if this token is stolen? You can't revoke the access token, so it is somehow like your master key (password). My recommendation is to use OAuth refresh tokens along with access tokens. This depends on the type of your client, you can check how this is done here http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/ The refresh tokens can be revoked and they can expire after a very long time. Let me know if you need further details to implement this.

Solution 2

If you're needing to decode the token within a WebAPI Controller function, I found this worked:

String token = Request.Headers.Authorization.Parameter;
Microsoft.Owin.Security.AuthenticationTicket t = Startup.OAuthOptions.AccessTokenFormat.Unprotect(token);

Solution 3

Create a Custom Authentication Attribute and store the token hashes for users. A user can have multiple tokens. Then you can let user do what he wants - log out all other sessions when password is changed or remove sessions selectively

  public class CustomAuthAttribute : System.Web.Http.AuthorizeAttribute
    {
        protected override bool IsAuthorized(HttpActionContext context)
        {
            var accessToken = HttpContext.Current.Request.Headers["Authorization"];
            var hash = accessToken.Md5();
            //store the hash for that user 
            //check if the hash is created before the password change or its session was removed by the user
            //store IP address and user agent 
            var isBlackListed = ...
            .....
            return !isBlackListed && base.IsAuthorized(context);

        }
    }

Author by

SzilardD

Updated on June 25, 2022