securing rest api with refresh tokens

Press Ctrl / CMD + C to copy this to your clipboard.

Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

Salahuddin Khan 2 posts 71 karma points

Apr 05, 2017 @ 07:52

Extending Umbraco and using the API

Umbraco 7

Hi,

Is it a good practice to use Umbraco Identity with Refresh token to secure an Umbraco REST API for front-end members?

Custom UmbracoIdentityStartup ConfigureMiddleware method might look like

protected override void ConfigureMiddleware(IAppBuilder app)
{
                //Configure the application for OAuth based flow
                var PublicClientId = "self";
                var OAuthOptions = new OAuthAuthorizationServerOptions
                {
                    TokenEndpointPath = new PathString("/Token"),
                    Provider = new ApplicationOAuthProvider(PublicClientId),
                    AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
                    AccessTokenExpireTimeSpan = TimeSpan.FromDays(30),
                    AuthorizationCodeExpireTimeSpan = TimeSpan.FromHours(3),
                    RefreshTokenProvider = new ApplicationRefreshTokenProvider(),
                    AccessTokenFormat = new ApplicationJwtFormat(ConfigurationManager.AppSettings["AuthURL"]),
                    AllowInsecureHttp = false
                };

                //Enable the application to use bearer tokens to authenticate users
                app.UseOAuthBearerTokens(OAuthOptions);

                //Ensure owin is configured for Umbraco back office authentication. If you have any front-end OWIN
                // cookie configuration, this must be declared after it.
                app
                   .UseUmbracoBackOfficeCookieAuthentication(ApplicationContext, PipelineStage.Authenticate)
                   .UseUmbracoBackOfficeExternalCookieAuthentication(ApplicationContext, PipelineStage.Authenticate);

                // Enable the application to use a cookie to store information for the 
                // signed in user and to use a cookie to temporarily store information 
                // about a user logging in with a third party login provider 
                // Configure the sign in cookie
                app.UseCookieAuthentication(
                    //You can modify these options for any customizations you'd like
                    new FrontEndCookieAuthenticationOptions(),
                    PipelineStage.Authenticate);

                // Uncomment the following lines to enable logging in with third party login providers

                app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
}

I am sure there would be flaws in the practice I am using and there would be a better/best practice available already than the one I am using...

Thanks for your feedback in advance

Copy Link

is working on a reply...

Please Sign in or register to post replies