How to build secured api using ServiceStack as resource server with OAuth2.0?

Question

I have build a OAuth2.0 Authorization server using dotnetopenauth that will manage authentication, authorization, and assign accessToken to the caller. The caller will use the a

Answer 1

Just some update

I didn't use the AuthenticateAttribute or RequiredRoleAttribute from ServiceStack.ServiceInterface.

I create 2 custom RequestFilterAttribute to replace the functions provided by AuthenticateAttribute and RequiredRoleAttribute.

In each custom RequestFilterAttribute's Execute method, I'm using method in dotnetopenauth to verify the access token.

//httpReq==req from Execute(IHttpRequest req, IHttpResponse res, object requestDto)

The code for the access token verification as following, reference the relevant documentation from both servicestack and dotnetopenauth for more info. ResourceServer is class from dotnetopenauth

HttpRequestBase reqBase = new HttpRequestWrapper((System.Web.HttpRequest)httpReq.OriginalRequest);

var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(AuthorizationServerPublicKey, ResourceServerPrivateKey));

IPrincipal ip = null;
resourceServer.VerifyAccess(reqBase, out ip);

If the ip is null then not authenticated, if not null, the incoming request is valid and can use the ip to check the role e.g. ip.IsInRole(requiredRole)

I'm not sure this is the correct way to do the checking or not, but it's works for me. Any better solution are welcome.