Authenticate a cookie based access_token
amccool opened this issue · 3 comments
I have a device flow application that saves a reference_token as a cookie. I see the access_token is a opaque number, and I have a good identity_token which is then saved to a cookie SignInAync("super-duper-device")
via:
.AddCookie("super-duper-device", options=>{
options.ForwardAuthenticate = "introspection";
})
.AddOAuth2Introspection("introspection")
with the default tokenretriever appears to only look at the string authorization = request.Headers["Authorization"].FirstOrDefault();
I noticed there is two TokenRetrievers available FromAuthorizationHeader
and FromQueryString
. Neither work for my case.
Whats the correct way to get the access_token from the cookie?
Using the following TokenRetrieval
private static AuthenticationTicket DecryptAuthCookie(HttpContext httpContext, string scheme)
{
var opt = httpContext.RequestServices
.GetRequiredService<IOptionsMonitor<CookieAuthenticationOptions>>()
.Get(scheme);
var cookie = opt.CookieManager.GetRequestCookie(httpContext, opt.Cookie.Name);
return opt.TicketDataFormat.Unprotect(cookie);
}
public static Func<HttpRequest, string> FromCookie(string scheme)
{
return request =>
{
var ticket = DecryptAuthCookie(request.HttpContext, scheme);
if (ticket.Properties.Items.ContainsKey(".Token.access_token"))
{
var access_token = ticket.Properties.Items[".Token.access_token"];
return access_token;
}
else
{
return null;
}
};
}
with
.AddOAuth2Introspection("reference-token", options => {
options.TokenRetriever = yabbadappa.FromCookie(scheme: "super-duper-device");
is getting me a good opaque access_token.
So long as I am not wildly off track we can close this
sure. why not ;)
when @leastprivilege replies w emojis, its safe to close the issue