Retrieve bearer token in ASP.NET WebAPI

Asked 10/9, 2014 at 11:53 Answered 15/12, 2023 at 17:58

I have a Web API with authentication enabled (bearer token). This is called by a client application and I want to protect it from anonymous usage so I would like to create a single user and create a bearer token for it.

I can create the token by calling the register and token methods, but I would like to do this from code.

As far as I know, the bearer token is not stored in the database. Can it be retrieved somehow using the ASP.NET Identity API?
I would also like to create this user from code and save the token somewhere because I need to deploy the database to multiple servers.

Tortricid answered 10/9, 2014 at 11:53 Comment(1)

I'd like to see a direct answer to the questions though. I'm doing something similar where I need to generate this token from my integration tests. – Rand 10/3, 2015 at 6:37

I do not recommend going with this approach if you have only one client who will talk to your API, my understanding that you need to issue a very very long lived access token maybe for a year and keep using this token to access the back-end API, right? What you will do if this token is stolen? You can't revoke the access token, so it is somehow like your master key (password). My recommendation is to use OAuth refresh tokens along with access tokens. This depends on the type of your client, you can check how this is done here http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/ The refresh tokens can be revoked and they can expire after a very long time. Let me know if you need further details to implement this.

Retrace answered 12/9, 2014 at 1:32 Comment(2)

+1 for a good solution and very interesting blog. I haven't tried it, but is it possible to revoke access tokens changing the Security Stamp as this post suggests? #22756200. By the way, thank you for your amazing blog and for being now active on Stackoverflow. – Beluga 12/9, 2014 at 21:16

But what if I have an old app with thousands of users using bearer tokens and I just want to give them the possibility to blacklist other sessions? I see no harm storing a hash of a token in the DB and checking every time if a token is blacklisted. But I can't get access to raw token – Fustian 11/10, 2019 at 10:53

Create a Custom Authentication Attribute and store the token hashes for users. A user can have multiple tokens. Then you can let user do what he wants - log out all other sessions when password is changed or remove sessions selectively

  public class CustomAuthAttribute : System.Web.Http.AuthorizeAttribute
    {
        protected override bool IsAuthorized(HttpActionContext context)
        {
            var accessToken = HttpContext.Current.Request.Headers["Authorization"];
            var hash = accessToken.Md5();
            //store the hash for that user 
            //check if the hash is created before the password change or its session was removed by the user
            //store IP address and user agent 
            var isBlackListed = ...
            .....
            return !isBlackListed && base.IsAuthorized(context);

        }
    }

Fustian answered 11/10, 2019 at 19:59 Comment(0)

If you're needing to decode the token within a WebAPI Controller function, I found this worked:

String token = Request.Headers.Authorization.Parameter;
Microsoft.Owin.Security.AuthenticationTicket t = Startup.OAuthOptions.AccessTokenFormat.Unprotect(token);

Exactly answered 16/4, 2020 at 23:5 Comment(0)

This is my working solution. You can have it inside any of your Controller's endpoints.

string? token = Response.HttpContext.GetTokenAsync("access_token").Result;

Ng answered 15/12, 2023 at 17:58 Comment(0)

Recommended topics

Hot tags