Microsoft.Owin.Security.OAuth
Data object used by TokenEndpointRequest which contains parameter information when the "grant_type" is unrecognized.
The parameter information when the "grant_type" is unrecognized.
Data object used by TokenEndpointRequest when the "grant_type" parameter is "refresh_token".
The value passed to the Token endpoint in the "refresh_token" parameter
The value passed to the Token endpoint in the "scope" parameter
Data object used by TokenEndpointRequest when the "grant_type" is "authorization_code".
The value passed to the Token endpoint in the "code" parameter
The value passed to the Token endpoint in the "redirect_uri" parameter. This MUST be provided by the caller
if the original visit to the Authorize endpoint contained a "redirect_uri" parameter.
Data object representing the information contained in the query string of an Authorize endpoint request.
Creates a new instance populated with values from the query string parameters.
Query string parameters from a request.
True if the "response_type" query string contains the passed responseType.
See also, http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html
The responseType that is expected within the "response_type" query string
True if the "response_type" query string contains the passed responseType.
The "response_type" query string parameter of the Authorize request. Known values are "code" and "token".
The "response_mode" query string parameter of the Authorize request. Known values are "query", "fragment" and "form_post"
See also, http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html
The "client_id" query string parameter of the Authorize request.
The "redirect_uri" query string parameter of the Authorize request. May be absent if the server should use the
redirect uri known to be registered to the client id.
The "scope" query string parameter of the Authorize request. May be absent if the server should use default scopes.
The "scope" query string parameter of the Authorize request. May be absent if the client does not require state to be
included when returning to the RedirectUri.
True if the "response_type" query string parameter is "code".
See also, http://tools.ietf.org/html/rfc6749#section-4.1.1
True if the "response_type" query string parameter is "token".
See also, http://tools.ietf.org/html/rfc6749#section-4.2.1
Data object representing the information contained in form encoded body of a Token endpoint request.
Creates a new instance populated with values from the form encoded body parameters.
Form encoded body parameters from a request.
The form encoded body parameters of the Token endpoint request
The "grant_type" parameter of the Token endpoint request. This parameter is required.
The "client_id" parameter of the Token endpoint request. This parameter is optional. It might not
be present if the request is authenticated in a different way, for example, by using basic authentication
credentials.
Data object available when the "grant_type" is "authorization_code".
See also http://tools.ietf.org/html/rfc6749#section-4.1.3
Data object available when the "grant_type" is "client_credentials".
See also http://tools.ietf.org/html/rfc6749#section-4.4.2
Data object available when the "grant_type" is "refresh_token".
See also http://tools.ietf.org/html/rfc6749#section-6
Data object available when the "grant_type" is "password".
See also http://tools.ietf.org/html/rfc6749#section-4.3.2
Data object available when the "grant_type" is unrecognized.
See also http://tools.ietf.org/html/rfc6749#section-4.5
True when the "grant_type" is "authorization_code".
See also http://tools.ietf.org/html/rfc6749#section-4.1.3
True when the "grant_type" is "client_credentials".
See also http://tools.ietf.org/html/rfc6749#section-4.4.2
True when the "grant_type" is "refresh_token".
See also http://tools.ietf.org/html/rfc6749#section-6
True when the "grant_type" is "password".
See also http://tools.ietf.org/html/rfc6749#section-4.3.2
True when the "grant_type" is unrecognized.
See also http://tools.ietf.org/html/rfc6749#section-4.5
Data object used by TokenEndpointRequest when the "grant_type" is "client_credentials".
The value passed to the Token endpoint in the "scope" parameter
Data object used by TokenEndpointRequest when the "grant_type" is "password".
The value passed to the Token endpoint in the "username" parameter
The value passed to the Token endpoint in the "password" parameter
The value passed to the Token endpoint in the "scope" parameter
Extension methods to add Authorization Server capabilities to an OWIN pipeline
Adds OAuth2 Authorization Server capabilities to an OWIN web application. This middleware
performs the request processing for the Authorize and Token endpoints defined by the OAuth2 specification.
See also http://tools.ietf.org/html/rfc6749
The web application builder
Options which control the behavior of the Authorization Server.
The application builder
Options class provides information needed to control Authorization Server middleware behavior
Creates an instance of authorization server options with default values.
The request path where client applications will redirect the user-agent in order to
obtain user consent to issue a token. Must begin with a leading slash, like "/Authorize".
The request path client applications communicate with directly as part of the OAuth protocol.
Must begin with a leading slash, like "/Token". If the client is issued a client_secret, it must
be provided to this endpoint.
The object provided by the application to process events raised by the Authorization Server middleware.
The application may implement the interface fully, or it may create an instance of OAuthAuthorizationServerProvider
and assign delegates only to the events it wants to process.
The data format used to protect and unprotect the information contained in the authorization code.
If not provided by the application the default data protection provider depends on the host server.
The SystemWeb host on IIS will use ASP.NET machine key data protection, and HttpListener and other self-hosted
servers will use DPAPI data protection.
The data format used to protect the information contained in the access token.
If not provided by the application the default data protection provider depends on the host server.
The SystemWeb host on IIS will use ASP.NET machine key data protection, and HttpListener and other self-hosted
servers will use DPAPI data protection. If a different access token
provider or format is assigned, a compatible instance must be assigned to the OAuthBearerAuthenticationOptions.AccessTokenProvider
or OAuthBearerAuthenticationOptions.AccessTokenFormat property of the resource server.
The data format used to protect and unprotect the information contained in the refresh token.
If not provided by the application the default data protection provider depends on the host server.
The SystemWeb host on IIS will use ASP.NET machine key data protection, and HttpListener and other self-hosted
servers will use DPAPI data protection.
The period of time the authorization code remains valid after being issued. The default is five minutes.
This time span must also take into account clock synchronization between servers in a web farm, so a very
brief value could result in unexpectedly expired tokens.
The period of time the access token remains valid after being issued. The default is twenty minutes.
The client application is expected to refresh or acquire a new access token after the token has expired.
Produces a single-use authorization code to return to the client application. For the OAuth server to be secure the
application MUST provide an instance for AuthorizationCodeProvider where the token produced by the OnCreate or OnCreateAsync event
is considered valid for only one call to OnReceive or OnReceiveAsync.
Produces a bearer token the client application will typically be providing to resource server as the authorization bearer
http request header. If not provided the token produced on the server's default data protection. If a different access token
provider or format is assigned, a compatible instance must be assigned to the OAuthBearerAuthenticationOptions.AccessTokenProvider
or OAuthBearerAuthenticationOptions.AccessTokenFormat property of the resource server.
Produces a refresh token which may be used to produce a new access token when needed. If not provided the authorization server will
not return refresh tokens from the /Token endpoint.
Set to true if the web application is able to render error messages on the /Authorize endpoint. This is only needed for cases where
the browser is not redirected back to the client application, for example, when the client_id or redirect_uri are incorrect. The
/Authorize endpoint should expect to see "oauth.Error", "oauth.ErrorDescription", "oauth.ErrorUri" properties added to the owin environment.
Used to know what the current clock time is when calculating or validating token expiration. When not assigned default is based on
DateTimeOffset.UtcNow. This is typically needed only for unit testing.
True to allow authorize and token requests to arrive on http URI addresses, and to allow incoming
redirect_uri authorize request parameter to have http URI addresses.
Endpoint responsible for Form Post Response Mode
See also, http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html
Authorization Server middleware component which is added to an OWIN pipeline. This class is not
created by application code directly, instead it is added by calling the the IAppBuilder UseOAuthAuthorizationServer
extension method.
Authorization Server middleware component which is added to an OWIN pipeline. This constructor is not
called by application code directly, instead it is added by calling the the IAppBuilder UseOAuthAuthorizationServer
extension method.
Called by the AuthenticationMiddleware base class to create a per-request handler.
A new instance of the request handler
Extension methods to add OAuth Bearer authentication capabilities to an OWIN application pipeline
Adds Bearer token processing to an OWIN application pipeline. This middleware understands appropriately
formatted and secured tokens which appear in the request header. If the Options.AuthenticationMode is Active, the
claims within the bearer token are added to the current request's IPrincipal User. If the Options.AuthenticationMode
is Passive, then the current request is not modified, but IAuthenticationManager AuthenticateAsync may be used at
any time to obtain the claims from the request's bearer token.
See also http://tools.ietf.org/html/rfc6749
The web application builder
Options which control the processing of the bearer header.
The application builder
Bearer authentication middleware component which is added to an OWIN pipeline. This class is not
created by application code directly, instead it is added by calling the the IAppBuilder UseOAuthBearerAuthentication
extension method.
Bearer authentication component which is added to an OWIN pipeline. This constructor is not
called by application code directly, instead it is added by calling the the IAppBuilder UseOAuthBearerAuthentication
extension method.
Called by the AuthenticationMiddleware base class to create a per-request handler.
A new instance of the request handler
Options class provides information needed to control Bearer Authentication middleware behavior
Creates an instance of bearer authentication options with default values.
Determines what realm value is included when the bearer middleware adds a response header to an unauthorized request.
If not assigned, the response header does not have a realm.
Specifies the full challenge to send to the client, and should start with "Bearer". If a challenge is provided then the
Realm property is ignored. If no challenge is specified then one is created using "Bearer" and the value of the Realm
property.
The object provided by the application to process events raised by the bearer authentication middleware.
The application may implement the interface fully, or it may create an instance of OAuthBearerAuthenticationProvider
and assign delegates only to the events it wants to process.
The data format used to un-protect the information contained in the access token.
If not provided by the application the default data protection provider depends on the host server.
The SystemWeb host on IIS will use ASP.NET machine key data protection, and HttpListener and other self-hosted
servers will use DPAPI data protection. If a different access token
provider or format is assigned, a compatible instance must be assigned to the OAuthAuthorizationServerOptions.AccessTokenProvider
and OAuthAuthorizationServerOptions.AccessTokenFormat of the authorization server.
Receives the bearer token the client application will be providing to web application. If not provided the token
produced on the server's default data protection by using the AccessTokenFormat. If a different access token
provider or format is assigned, a compatible instance must be assigned to the OAuthAuthorizationServerOptions.AccessTokenProvider
and OAuthAuthorizationServerOptions.AccessTokenFormat of the authorization server.
Used to know what the current clock time is when calculating or validating token expiration. When not assigned default is based on
DateTimeOffset.UtcNow. This is typically needed only for unit testing.
Default values used by authorization server and bearer authentication.
Default value for AuthenticationType property in the OAuthBearerAuthenticationOptions and
OAuthAuthorizationServerOptions.
Provides context information used at the end of a token-endpoint-request.
Initializes a new instance of the class
Issues the token.
Gets the identity of the resource owner.
Dictionary containing the state of the authentication session.
The issued Access-Token
Gets information about the token endpoint request.
Gets whether or not the token should be issued.
Enables additional values to be appended to the token response.
Base class used for certain event contexts
Base class used for certain event contexts
Initializes base class used for certain event contexts
Marks this context as validated by the application. IsValidated becomes true and HasError becomes false as a result of calling.
True if the validation has taken effect.
Marks this context as not validated by the application. IsValidated and HasError become false as a result of calling.
Marks this context as not validated by the application and assigns various error information properties.
HasError becomes true and IsValidated becomes false as a result of calling.
Assigned to the Error property
Marks this context as not validated by the application and assigns various error information properties.
HasError becomes true and IsValidated becomes false as a result of calling.
Assigned to the Error property
Assigned to the ErrorDescription property
Marks this context as not validated by the application and assigns various error information properties.
HasError becomes true and IsValidated becomes false as a result of calling.
Assigned to the Error property
Assigned to the ErrorDescription property
Assigned to the ErrorUri property
True if application code has called any of the Validate methods on this context.
True if application code has called any of the SetError methods on this context.
The error argument provided when SetError was called on this context. This is eventually
returned to the client app as the OAuth "error" parameter.
The optional errorDescription argument provided when SetError was called on this context. This is eventually
returned to the client app as the OAuth "error_description" parameter.
The optional errorUri argument provided when SetError was called on this context. This is eventually
returned to the client app as the OAuth "error_uri" parameter.
Initializes base class used for certain event contexts
The "client_id" parameter for the current request. The Authorization Server application is responsible for
validating this value identifies a registered client.
Base class used for certain event contexts
Initializes base class used for certain event contexts
Replaces the ticket information on this context and marks it as as validated by the application.
IsValidated becomes true and HasError becomes false as a result of calling.
Assigned to the Ticket property
True if the validation has taken effect.
Alters the ticket information on this context and marks it as as validated by the application.
IsValidated becomes true and HasError becomes false as a result of calling.
Assigned to the Ticket.Identity property
True if the validation has taken effect.
Contains the identity and properties for the application to authenticate. If the Validated method
is invoked with an AuthenticationTicket or ClaimsIdentity argument, that new value is assigned to
this property in addition to changing IsValidated to true.
Provides context information when processing an Authorization Response
Initializes a new instance of the class
Gets the identity of the resource owner.
Dictionary containing the state of the authentication session.
Gets information about the authorize endpoint request.
Enables additional values to be appended to the token response.
The serialized Access-Token. Depending on the flow, it can be null.
The created Authorization-Code. Depending on the flow, it can be null.
An event raised after the Authorization Server has processed the request, but before it is passed on to the web application.
Calling RequestCompleted will prevent the request from passing on to the web application.
Creates an instance of this context
Gets OAuth authorization request data.
Interface for OAuthAuthorizationServerOptions.Provider property used by Authorization
Server to communicate with the web application while processing requests.
Called to determine if an incoming request is treated as an Authorize or Token
endpoint. If Options.AuthorizeEndpointPath or Options.TokenEndpointPath
are assigned values, then handling this event is optional and context.IsAuthorizeEndpoint and context.IsTokenEndpoint
will already be true if the request path matches.
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called to validate that the context.ClientId is a registered "client_id", and that the context.RedirectUri a "redirect_uri"
registered for that client. This only occurs when processing the Authorize endpoint. The application MUST implement this
call, and it MUST validate both of those factors before calling context.Validated. If the context.Validated method is called
with a given redirectUri parameter, then IsValidated will only become true if the incoming redirect URI matches the given redirect URI.
If context.Validated is not called the request will not proceed further.
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called to validate that the origin of the request is a registered "client_id", and that the correct credentials for that client are
present on the request. If the web application accepts Basic authentication credentials,
context.TryGetBasicCredentials(out clientId, out clientSecret) may be called to acquire those values if present in the request header. If the web
application accepts "client_id" and "client_secret" as form encoded POST parameters,
context.TryGetFormCredentials(out clientId, out clientSecret) may be called to acquire those values if present in the request body.
If context.Validated is not called the request will not proceed further.
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called for each request to the Authorize endpoint to determine if the request is valid and should continue.
The default behavior when using the OAuthAuthorizationServerProvider is to assume well-formed requests, with
validated client redirect URI, should continue processing. An application may add any additional constraints.
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called for each request to the Token endpoint to determine if the request is valid and should continue.
The default behavior when using the OAuthAuthorizationServerProvider is to assume well-formed requests, with
validated client credentials, should continue processing. An application may add any additional constraints.
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called when a request to the Token endpoint arrives with a "grant_type" of "authorization_code". This occurs after the Authorize
endpoint as redirected the user-agent back to the client with a "code" parameter, and the client is exchanging that for an "access_token".
The claims and properties
associated with the authorization code are present in the context.Ticket. The application must call context.Validated to instruct the Authorization
Server middleware to issue an access token based on those claims and properties. The call to context.Validated may be given a different
AuthenticationTicket or ClaimsIdentity in order to control which information flows from authorization code to access token.
The default behavior when using the OAuthAuthorizationServerProvider is to flow information from the authorization code to
the access token unmodified.
See also http://tools.ietf.org/html/rfc6749#section-4.1.3
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called when a request to the Token endpoint arrives with a "grant_type" of "refresh_token". This occurs if your application has issued a "refresh_token"
along with the "access_token", and the client is attempting to use the "refresh_token" to acquire a new "access_token", and possibly a new "refresh_token".
To issue a refresh token the an Options.RefreshTokenProvider must be assigned to create the value which is returned. The claims and properties
associated with the refresh token are present in the context.Ticket. The application must call context.Validated to instruct the
Authorization Server middleware to issue an access token based on those claims and properties. The call to context.Validated may
be given a different AuthenticationTicket or ClaimsIdentity in order to control which information flows from the refresh token to
the access token. The default behavior when using the OAuthAuthorizationServerProvider is to flow information from the refresh token to
the access token unmodified.
See also http://tools.ietf.org/html/rfc6749#section-6
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called when a request to the Token endpoint arrives with a "grant_type" of "password". This occurs when the user has provided name and password
credentials directly into the client application's user interface, and the client application is using those to acquire an "access_token" and
optional "refresh_token". If the web application supports the
resource owner credentials grant type it must validate the context.Username and context.Password as appropriate. To issue an
access token the context.Validated must be called with a new ticket containing the claims about the resource owner which should be associated
with the access token. The application should take appropriate measures to ensure that the endpoint isn’t abused by malicious callers. .
The default behavior is to reject this grant type.
See also http://tools.ietf.org/html/rfc6749#section-4.3.2
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called when a request to the Token endpoint arrives with a "grant_type" of "client_credentials". This occurs when a registered client
application wishes to acquire an "access_token" to interact with protected resources on it's own behalf, rather than on behalf of an authenticated user.
If the web application supports the client credentials it may assume the context.ClientId has been validated by the ValidateClientAuthentication call.
To issue an access token the context.Validated must be called with a new ticket containing the claims about the client application which should be associated
with the access token. The application should take appropriate measures to ensure that the endpoint isn’t abused by malicious callers.
The default behavior is to reject this grant type.
See also http://tools.ietf.org/html/rfc6749#section-4.4.2
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called when a request to the Token andpoint arrives with a "grant_type" of any other value. If the application supports custom grant types
it is entirely responsible for determining if the request should result in an access_token. If context.Validated is called with ticket
information the response body is produced in the same way as the other standard grant types. If additional response parameters must be
included they may be added in the final TokenEndpoint call.
See also http://tools.ietf.org/html/rfc6749#section-4.5
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called at the final stage of an incoming Authorize endpoint request before the execution continues on to the web application component
responsible for producing the html response. Anything present in the OWIN pipeline following the Authorization Server may produce the
response for the Authorize page. If running on IIS any ASP.NET technology running on the server may produce the response for the
Authorize page. If the web application wishes to produce the response directly in the AuthorizeEndpoint call it may write to the
context.Response directly and should call context.RequestCompleted to stop other handlers from executing. If the web application wishes
to grant the authorization directly in the AuthorizeEndpoint call it cay call context.OwinContext.Authentication.SignIn with the
appropriate ClaimsIdentity and should call context.RequestCompleted to stop other handlers from executing.
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called at the final stage of a successful Token endpoint request. An application may implement this call in order to do any final
modification of the claims being used to issue access or refresh tokens. This call may also be used in order to add additional
response parameters to the Token endpoint's json response body.
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called before the AuthorizationEndpoint redirects its response to the caller. The response could be the
token, when using implicit flow or the AuthorizationEndpoint when using authorization code flow.
An application may implement this call in order to do any final modification of the claims being used
to issue access or refresh tokens. This call may also be used in order to add additional
response parameters to the authorization endpoint's response.
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called before the TokenEndpoint redirects its response to the caller.
Default implementation of IOAuthAuthorizationServerProvider used by Authorization
Server to communicate with the web application while processing requests. OAuthAuthorizationServerProvider provides some default behavior,
may be used as a virtual base class, and offers delegate properties which may be used to
handle individual calls without declaring a new class type.
Creates new instance of default provider behavior
Called to determine if an incoming request is treated as an Authorize or Token
endpoint. If Options.AuthorizeEndpointPath or Options.TokenEndpointPath
are assigned values, then handling this event is optional and context.IsAuthorizeEndpoint and context.IsTokenEndpoint
will already be true if the request path matches.
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called to validate that the context.ClientId is a registered "client_id", and that the context.RedirectUri a "redirect_uri"
registered for that client. This only occurs when processing the Authorize endpoint. The application MUST implement this
call, and it MUST validate both of those factors before calling context.Validated. If the context.Validated method is called
with a given redirectUri parameter, then IsValidated will only become true if the incoming redirect URI matches the given redirect URI.
If context.Validated is not called the request will not proceed further.
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called to validate that the origin of the request is a registered "client_id", and that the correct credentials for that client are
present on the request. If the web application accepts Basic authentication credentials,
context.TryGetBasicCredentials(out clientId, out clientSecret) may be called to acquire those values if present in the request header. If the web
application accepts "client_id" and "client_secret" as form encoded POST parameters,
context.TryGetFormCredentials(out clientId, out clientSecret) may be called to acquire those values if present in the request body.
If context.Validated is not called the request will not proceed further.
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called for each request to the Authorize endpoint to determine if the request is valid and should continue.
The default behavior when using the OAuthAuthorizationServerProvider is to assume well-formed requests, with
validated client redirect URI, should continue processing. An application may add any additional constraints.
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called for each request to the Token endpoint to determine if the request is valid and should continue.
The default behavior when using the OAuthAuthorizationServerProvider is to assume well-formed requests, with
validated client credentials, should continue processing. An application may add any additional constraints.
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called when a request to the Token endpoint arrives with a "grant_type" of "authorization_code". This occurs after the Authorize
endpoint as redirected the user-agent back to the client with a "code" parameter, and the client is exchanging that for an "access_token".
The claims and properties
associated with the authorization code are present in the context.Ticket. The application must call context.Validated to instruct the Authorization
Server middleware to issue an access token based on those claims and properties. The call to context.Validated may be given a different
AuthenticationTicket or ClaimsIdentity in order to control which information flows from authorization code to access token.
The default behavior when using the OAuthAuthorizationServerProvider is to flow information from the authorization code to
the access token unmodified.
See also http://tools.ietf.org/html/rfc6749#section-4.1.3
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called when a request to the Token endpoint arrives with a "grant_type" of "refresh_token". This occurs if your application has issued a "refresh_token"
along with the "access_token", and the client is attempting to use the "refresh_token" to acquire a new "access_token", and possibly a new "refresh_token".
To issue a refresh token the an Options.RefreshTokenProvider must be assigned to create the value which is returned. The claims and properties
associated with the refresh token are present in the context.Ticket. The application must call context.Validated to instruct the
Authorization Server middleware to issue an access token based on those claims and properties. The call to context.Validated may
be given a different AuthenticationTicket or ClaimsIdentity in order to control which information flows from the refresh token to
the access token. The default behavior when using the OAuthAuthorizationServerProvider is to flow information from the refresh token to
the access token unmodified.
See also http://tools.ietf.org/html/rfc6749#section-6
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called when a request to the Token endpoint arrives with a "grant_type" of "password". This occurs when the user has provided name and password
credentials directly into the client application's user interface, and the client application is using those to acquire an "access_token" and
optional "refresh_token". If the web application supports the
resource owner credentials grant type it must validate the context.Username and context.Password as appropriate. To issue an
access token the context.Validated must be called with a new ticket containing the claims about the resource owner which should be associated
with the access token. The application should take appropriate measures to ensure that the endpoint isn’t abused by malicious callers.
The default behavior is to reject this grant type.
See also http://tools.ietf.org/html/rfc6749#section-4.3.2
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called when a request to the Token endpoint arrives with a "grant_type" of "client_credentials". This occurs when a registered client
application wishes to acquire an "access_token" to interact with protected resources on it's own behalf, rather than on behalf of an authenticated user.
If the web application supports the client credentials it may assume the context.ClientId has been validated by the ValidateClientAuthentication call.
To issue an access token the context.Validated must be called with a new ticket containing the claims about the client application which should be associated
with the access token. The application should take appropriate measures to ensure that the endpoint isn’t abused by malicious callers.
The default behavior is to reject this grant type.
See also http://tools.ietf.org/html/rfc6749#section-4.4.2
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called when a request to the Token endpoint arrives with a "grant_type" of any other value. If the application supports custom grant types
it is entirely responsible for determining if the request should result in an access_token. If context.Validated is called with ticket
information the response body is produced in the same way as the other standard grant types. If additional response parameters must be
included they may be added in the final TokenEndpoint call.
See also http://tools.ietf.org/html/rfc6749#section-4.5
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called at the final stage of an incoming Authorize endpoint request before the execution continues on to the web application component
responsible for producing the html response. Anything present in the OWIN pipeline following the Authorization Server may produce the
response for the Authorize page. If running on IIS any ASP.NET technology running on the server may produce the response for the
Authorize page. If the web application wishes to produce the response directly in the AuthorizeEndpoint call it may write to the
context.Response directly and should call context.RequestCompleted to stop other handlers from executing. If the web application wishes
to grant the authorization directly in the AuthorizeEndpoint call it cay call context.OwinContext.Authentication.SignIn with the
appropriate ClaimsIdentity and should call context.RequestCompleted to stop other handlers from executing.
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called at the final stage of a successful Token endpoint request. An application may implement this call in order to do any final
modification of the claims being used to issue access or refresh tokens. This call may also be used in order to add additional
response parameters to the Token endpoint's json response body.
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called before the AuthorizationEndpoint redirects its response to the caller. The response could be the
token, when using implicit flow or the AuthorizationEndpoint when using authorization code flow.
An application may implement this call in order to do any final modification of the claims being used
to issue access or refresh tokens. This call may also be used in order to add additional
response parameters to the authorization endpoint's response.
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called before the TokenEndpoint redirects its response to the caller.
Called to determine if an incoming request is treated as an Authorize or Token
endpoint. If Options.AuthorizeEndpointPath or Options.TokenEndpointPath
are assigned values, then handling this event is optional and context.IsAuthorizeEndpoint and context.IsTokenEndpoint
will already be true if the request path matches.
Called to validate that the context.ClientId is a registered "client_id", and that the context.RedirectUri a "redirect_uri"
registered for that client. This only occurs when processing the Authorize endpoint. The application MUST implement this
call, and it MUST validate both of those factors before calling context.Validated. If the context.Validated method is called
with a given redirectUri parameter, then IsValidated will only become true if the incoming redirect URI matches the given redirect URI.
If context.Validated is not called the request will not proceed further.
Called to validate that the origin of the request is a registered "client_id", and that the correct credentials for that client are
present on the request. If the web application accepts Basic authentication credentials,
context.TryGetBasicCredentials(out clientId, out clientSecret) may be called to acquire those values if present in the request header. If the web
application accepts "client_id" and "client_secret" as form encoded POST parameters,
context.TryGetFormCredentials(out clientId, out clientSecret) may be called to acquire those values if present in the request body.
If context.Validated is not called the request will not proceed further.
Called for each request to the Authorize endpoint to determine if the request is valid and should continue.
The default behavior when using the OAuthAuthorizationServerProvider is to assume well-formed requests, with
validated client redirect URI, should continue processing. An application may add any additional constraints.
Called for each request to the Token endpoint to determine if the request is valid and should continue.
The default behavior when using the OAuthAuthorizationServerProvider is to assume well-formed requests, with
validated client credentials, should continue processing. An application may add any additional constraints.
Called when a request to the Token endpoint arrives with a "grant_type" of "authorization_code". This occurs after the Authorize
endpoint as redirected the user-agent back to the client with a "code" parameter, and the client is exchanging that for an "access_token".
The claims and properties
associated with the authorization code are present in the context.Ticket. The application must call context.Validated to instruct the Authorization
Server middleware to issue an access token based on those claims and properties. The call to context.Validated may be given a different
AuthenticationTicket or ClaimsIdentity in order to control which information flows from authorization code to access token.
The default behavior when using the OAuthAuthorizationServerProvider is to flow information from the authorization code to
the access token unmodified.
See also http://tools.ietf.org/html/rfc6749#section-4.1.3
Called when a request to the Token endpoint arrives with a "grant_type" of "password". This occurs when the user has provided name and password
credentials directly into the client application's user interface, and the client application is using those to acquire an "access_token" and
optional "refresh_token". If the web application supports the
resource owner credentials grant type it must validate the context.Username and context.Password as appropriate. To issue an
access token the context.Validated must be called with a new ticket containing the claims about the resource owner which should be associated
with the access token. The application should take appropriate measures to ensure that the endpoint isn’t abused by malicious callers.
The default behavior is to reject this grant type.
See also http://tools.ietf.org/html/rfc6749#section-4.3.2
Called when a request to the Token endpoint arrives with a "grant_type" of "client_credentials". This occurs when a registered client
application wishes to acquire an "access_token" to interact with protected resources on it's own behalf, rather than on behalf of an authenticated user.
If the web application supports the client credentials it may assume the context.ClientId has been validated by the ValidateClientAuthentication call.
To issue an access token the context.Validated must be called with a new ticket containing the claims about the client application which should be associated
with the access token. The application should take appropriate measures to ensure that the endpoint isn’t abused by malicious callers.
The default behavior is to reject this grant type.
See also http://tools.ietf.org/html/rfc6749#section-4.4.2
Called when a request to the Token endpoint arrives with a "grant_type" of "refresh_token". This occurs if your application has issued a "refresh_token"
along with the "access_token", and the client is attempting to use the "refresh_token" to acquire a new "access_token", and possibly a new "refresh_token".
To issue a refresh token the an Options.RefreshTokenProvider must be assigned to create the value which is returned. The claims and properties
associated with the refresh token are present in the context.Ticket. The application must call context.Validated to instruct the
Authorization Server middleware to issue an access token based on those claims and properties. The call to context.Validated may
be given a different AuthenticationTicket or ClaimsIdentity in order to control which information flows from the refresh token to
the access token. The default behavior when using the OAuthAuthorizationServerProvider is to flow information from the refresh token to
the access token unmodified.
See also http://tools.ietf.org/html/rfc6749#section-6
Called when a request to the Token andpoint arrives with a "grant_type" of any other value. If the application supports custom grant types
it is entirely responsible for determining if the request should result in an access_token. If context.Validated is called with ticket
information the response body is produced in the same way as the other standard grant types. If additional response parameters must be
included they may be added in the final TokenEndpoint call.
See also http://tools.ietf.org/html/rfc6749#section-4.5
Called at the final stage of an incoming Authorize endpoint request before the execution continues on to the web application component
responsible for producing the html response. Anything present in the OWIN pipeline following the Authorization Server may produce the
response for the Authorize page. If running on IIS any ASP.NET technology running on the server may produce the response for the
Authorize page. If the web application wishes to produce the response directly in the AuthorizeEndpoint call it may write to the
context.Response directly and should call context.RequestCompleted to stop other handlers from executing. If the web application wishes
to grant the authorization directly in the AuthorizeEndpoint call it cay call context.OwinContext.Authentication.SignIn with the
appropriate ClaimsIdentity and should call context.RequestCompleted to stop other handlers from executing.
Called at the final stage of a successful Token endpoint request. An application may implement this call in order to do any final
modification of the claims being used to issue access or refresh tokens. This call may also be used in order to add additional
response parameters to the Token endpoint's json response body.
Called before the AuthorizationEndpoint redirects its response to the caller. The response could be the
token, when using implicit flow or the AuthorizationEndpoint when using authorization code flow.
An application may implement this call in order to do any final modification of the claims being used
to issue access or refresh tokens. This call may also be used in order to add additional
response parameters to the authorization endpoint's response.
The context of the event carries information in and results out.
Task to enable asynchronous execution
Called before the TokenEndpoint redirects its response to the caller.
OAuth bearer token middleware provider
Specifies callback methods which the invokes to enable developer control over the authentication process. />
Invoked before the is created. Gives the application an
opportunity to find the identity from a different location, adjust, or reject the token.
Contains the token string.
A representing the completed operation.
Called each time a request identity has been validated by the middleware. By implementing this method the
application may alter or reject the identity which has arrived with the request.
Contains information about the login session as well as the user .
A representing the completed operation.
Called each time a challenge is being sent to the client. By implementing this method the application
may modify the challenge as needed.
Contains the default challenge.
A representing the completed operation.
Initializes a new instance of the class
Handles processing OAuth bearer token.
Handles validating the identity produced from an OAuth bearer token.
Handles applying the authentication challenge to the response message.
Handles processing OAuth bearer token.
Handles validating the identity produced from an OAuth bearer token.
Handles applying the authentication challenge to the response message.
Specifies the HTTP response header for the bearer authentication scheme.
Initializes a new
OWIN environment
The www-authenticate header value.
The www-authenticate header value.
Provides context information when handling an OAuth authorization code grant.
Initializes a new instance of the class
Provides context information used when granting an OAuth refresh token.
Initializes a new instance of the class
The OAuth client id.
Specifies the HTTP request header for the bearer authentication scheme.
Initializes a new
OWIN environment
The authorization header value.
The authorization header value
Contains information about the client credentials.
Initializes a new instance of the class
Sets the client id and marks the context as validated by the application.
Extracts HTTP basic authentication credentials from the HTTP authenticate header.
Extracts forms authentication credentials from the HTTP request body.
Gets the set of form parameters from the request.
Provides context information used when determining the OAuth flow type based on the request.
Initializes a new instance of the class
Sets the endpoint type to authorize endpoint.
Sets the endpoint type to token endpoint.
Sets the endpoint type to neither authorize nor token.
Gets whether or not the endpoint is an OAuth authorize endpoint.
Gets whether or not the endpoint is an OAuth token endpoint.
Provides context information used when processing an OAuth token request.
Initializes a new instance of the class
Issues the token.
Gets the identity of the resource owner.
Dictionary containing the state of the authentication session.
Gets information about the token endpoint request.
Gets whether or not the token should be issued.
Enables additional values to be appended to the token response.
Provides context information used in handling an OAuth client credentials grant.
Initializes a new instance of the class
OAuth client id.
List of scopes allowed by the resource owner.
Provides context information used when handling OAuth extension grant types.
Initializes a new instance of the class
Gets the OAuth client id.
Gets the name of the OAuth extension grant type.
Gets a list of additional parameters from the token request.
Provides context information used in validating an OAuth authorization request.
Initializes a new instance of the class
Gets OAuth authorization request data.
Gets data about the OAuth client.
Contains data about the OAuth client redirect URI
Initializes a new instance of the class
Marks this context as validated by the application. IsValidated becomes true and HasError becomes false as a result of calling.
Checks the redirect URI to determine whether it equals .
Gets the client redirect URI
Contains the authentication ticket data from an OAuth bearer token.
Initializes a new instance of the class
Provides context information used in handling an OAuth resource owner grant.
Initializes a new instance of the class
OAuth client id.
Resource owner username.
Resource owner password.
List of scopes allowed by the resource owner.
Provides context information used in validating an OAuth token request.
Initializes a new instance of the class
Gets the token request data.
Gets information about the client.