Dotnetopenauth - Resource owner password credentials flow with WebAPI

Question

I am planning to expose an existing ASP.NET WebAPI API to mobile applications. I'd like to use OAuth2 resource owner password credentials flow via Dotnetopenauth so that users can enter their username and password into our mobile application login screen (rather than opening up a screen in a web viewer, etc.) and receive an authentication token.

As such, our setup is as follows:

• Resource Server - An API built with ASP.NET Web API
• Client - A mobile application
• Resource Owner - The end user

I've been playing with the OAuth2ProtectedWebApi sample and while I understand what it is doing I'm not sure how to convert this to the resource owner password credentials flow.

My questions are:

• Should I post a request directly from my login page to the TokenController, bypassing the UserController in this example completely?
• In a resource owner password credentials flow, where should authorization accomplished? For example, in order to validate the username:password against Active Directory or a database, where should the logic be placed in such a flow?

Any suggestions would be greatly appreciate,

Thanks

JP

Answer 1

Why do you want to use DNOA? Resource owner flow is now part of Web API v2 - and quite easy to implement.

I wrote a walkthrough here: http://leastprivilege.com/2013/11/13/embedding-a-simple-usernamepassword-authorization-server-in-web-api-v2/

The article describes the flow and where to do user authentication.