IdentityModel/IdentityModel.AspNetCore.OAuth2Introspection

Authenticate a cookie based access_token

amccool opened this issue · 3 comments

I have a device flow application that saves a reference_token as a cookie. I see the access_token is a opaque number, and I have a good identity_token which is then saved to a cookie SignInAync("super-duper-device") via:

.AddCookie("super-duper-device", options=>{
options.ForwardAuthenticate = "introspection";
})

.AddOAuth2Introspection("introspection") with the default tokenretriever appears to only look at the string authorization = request.Headers["Authorization"].FirstOrDefault();

I noticed there is two TokenRetrievers available FromAuthorizationHeader and FromQueryString. Neither work for my case.

Whats the correct way to get the access_token from the cookie?

Using the following TokenRetrieval

        private static AuthenticationTicket DecryptAuthCookie(HttpContext httpContext, string scheme)
        {
            var opt = httpContext.RequestServices
                .GetRequiredService<IOptionsMonitor<CookieAuthenticationOptions>>()
                .Get(scheme);

            var cookie = opt.CookieManager.GetRequestCookie(httpContext, opt.Cookie.Name);

            return opt.TicketDataFormat.Unprotect(cookie);
        }

        public static Func<HttpRequest, string> FromCookie(string scheme)
        {
            return request =>
            {
                var ticket = DecryptAuthCookie(request.HttpContext, scheme);

                if (ticket.Properties.Items.ContainsKey(".Token.access_token"))
                {
                    var access_token = ticket.Properties.Items[".Token.access_token"];
                    return access_token;
                }
                else
                {
                    return null;
                }
            };
        }

with

.AddOAuth2Introspection("reference-token", options => {
                  options.TokenRetriever = yabbadappa.FromCookie(scheme: "super-duper-device");

is getting me a good opaque access_token.

So long as I am not wildly off track we can close this

sure. why not ;)

when @leastprivilege replies w emojis, its safe to close the issue