One way to not persist any token related information in the OAuth provider is to do a cryptographic hash on the parameters provided during the token request and the timestamp. Since the hash is generated by a cryptography providers, it is opaque to the client. If it is opaque, I assumed I could encrypt and decrypt at the server side the userId and the clientId, so that the clients can use it as the OAuth access token while the server can easily decrypt the token to know the userID and the clientID.
string data = your_data_here;
DateTime now = DateTime.UtcNow;
string timestamp = now.ToString("yyyy-MM-ddTHH:mm:ssZ");
string signMe = data + timestamp;
byte[] bytesToSign = Encoding.UTF8.GetBytes(signMe);
var encryptedBytes = provider.Encrypt(
bytesToSign, true);
string decryptedTest = System.Text.Encoding.UTF8.GetString(
provider.Decrypt(encryptedBytes, true));
However, after writing the post above I tried it out and found that the encodedstring is not what I was looking to pass around as tokens. Instead a hash will do. A hash can be computed like this:
byte[] secretKeyBytes = Encoding.UTF8.GetBytes("Ada Lovelace" + DateTime.Now.ToString("yyyy-MM-ddTHH:mm:ssZ"));
var bytesToSign = Encoding.UTF8.GetBytes(content);
HMAC hmacSha256 = new HMACSHA256(secretKeyBytes);
byte[] hashBytes = hmacSha256.ComputeHash(bytesToSign);
return Convert.ToBase64String(hashBytes);
The only thing is that the RFC says the access token may self contain the authorization information such as with a data and signature so that it is self-verifiable. If we were to do that, the data must consist of public strings.
string data = your_data_here;
DateTime now = DateTime.UtcNow;
string timestamp = now.ToString("yyyy-MM-ddTHH:mm:ssZ");
string signMe = data + timestamp;
byte[] bytesToSign = Encoding.UTF8.GetBytes(signMe);
var encryptedBytes = provider.Encrypt(
bytesToSign, true);
string decryptedTest = System.Text.Encoding.UTF8.GetString(
provider.Decrypt(encryptedBytes, true));
However, after writing the post above I tried it out and found that the encodedstring is not what I was looking to pass around as tokens. Instead a hash will do. A hash can be computed like this:
byte[] secretKeyBytes = Encoding.UTF8.GetBytes("Ada Lovelace" + DateTime.Now.ToString("yyyy-MM-ddTHH:mm:ssZ"));
var bytesToSign = Encoding.UTF8.GetBytes(content);
HMAC hmacSha256 = new HMACSHA256(secretKeyBytes);
byte[] hashBytes = hmacSha256.ComputeHash(bytesToSign);
return Convert.ToBase64String(hashBytes);
The only thing is that the RFC says the access token may self contain the authorization information such as with a data and signature so that it is self-verifiable. If we were to do that, the data must consist of public strings.
No comments:
Post a Comment