Cannot understand MVC5 + WebApi2 Authorization

Question

I know what is the concept of OAuth: User sends request to the server with grant type, username and password, after some checks on server, the user receives an access token. What I cannot understand is why I should do this:

        ClaimsIdentity oAuthIdentity = await _userManager.CreateIdentityAsync(user,
            context.Options.AuthenticationType);
        var ticket = new AuthenticationTicket(oAuthIdentity, GenerareProperties(user));
        context.Validated(ticket);

What is CreateIdentityAsync returning? What is an AuthenticationTicket? What does context.Validated do? Also, If I have oAuthIdentity why should I also use cookiesIdentity? And finally, where is the access token being generated?

I searched but cannot find a website that explains this.

Answer 1

CreateIdentityAsync Will return the ClaimsIdentity to be used in the ClaimsPrincipal of the running context, which is further abstracted in...

An AuthenticationTicket is just a packaging of exactly what is passed in, for convenience.

context.Validated will add the information in the ticket to the current principal, and allow the OWIN pipeline to continue instead of returning a 401.

The reason for the cookiesIdentity is to allow authentication from the MVC pages in the template. It really is not used for the WebApi.

• Some Sources for further reading:
  • Here is a nice article that describes the template from the RC, which was similar
  • Also here are two blogs where their authors break down parts of .NET security that might seem obscure