I do a short analysis on the “Claim-based-security for ASP.NET Web APIs using DotNetOpenAuth”
Few things I tried to short out are listed below:
Why I like this approach:
- It’s easy to implements for any client authentication based API access, basically which (the client) will consume the API.
- Simple flow such as:
- The client request to the issuer for token, actually issuer is the OAuth.
- Using of OAuth AuthorizationServer class which is doing the token issuance request, producing and returning a token for valid & authenticated request.
- Easy to configure resource server to generate keys from the certificate.
- Single REST call base authentication.
- Overall process is short / effort less to integrate with RESTful api using WebAPI framework for client request authentication.
Why I am concern on the following scenario:
- Each and every client request will assume as a new client and apply fresh authentication process, that is:
- This example will simply verify a client has been registered to access the resource rather than the specific user.
- How can we make the request for refresh the token? (We need to implements database part)
- As per current sample with considering current flow than we have to use Microsoft Windows Identity Foundation.