Tuesday, May 26, 2015

Web API Resource Owner Password Flow : Returning Additional Properties along with Access Token

Web API uses the Resource Owner Password Flow defined in OAuth2. This is a quick post on how you can return additional properties when access token is requested by calling the token endpoint with a "grant_type" of "password".

When you created a ASP.NET Web API Project, insider the project, under “Providers” folder there will be a class named “ApplicationOAuthProvider”. As you know, the method which gets called when token endpoint is called, is “GrantResourceOwnerCredentials” and it returns a Task. So this is how you can include additional properties about the resource owner along with the access token. Simply add the values to AuthenticationProperties dictionary to store them as state values about the authenticated session.
ClaimsIdentity identity = new ClaimsIdentity(OAuthDefaults.AuthenticationType);
 
AuthenticationProperties properties = new AuthenticationProperties();
properties.Dictionary.Add("UserName", "jaliya.udagedara");
properties.Dictionary.Add("UserId", "1");
properties.Dictionary.Add("TwoFactorAuthenticationEnabled", "True");
 
AuthenticationTicket ticket = new AuthenticationTicket(identity, properties);
context.Validated(ticket);

So this is how the result looks like.
image
Result
Hope this helps.

Happy Coding.

Regards,
Jaliya