OAuth custom provider c#

Question

I need to create a my own OAUTH Provider, to validate third party application requests, i do not want to use Google, Twitter, LinkedIn, Microsoft providers. I have to create my

Answer 1

As Roland said if you get through the spec it pretty straight forward.

At a high level this is what you will need to do to support AuthCode grant pattern :

Assuming: Your application own the users.

• Issue clientid/secrets to each of the 3rd Party applications.
• On your server create end points for
  • authorize
  • token

When the client hits the authorize end point like below:

/authorize?response_type=code&client_id=&state=xyz&redirect_uri=http://thirdparty.com

• Redirect the client to a login page.
• Validate the username/pwd provided by the user.
• If successful, call the 3rd Party clients redirect URI with authCode.
• If failure, call the 3rd Party clients redirect URI with error(pre-published).

Sample callback here https://thirdparty.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz

Client will then call on the /token URI with authcode with something like below:

/token?grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=http://thirdparty.com

Generate a token, store it against the clientID, UserId and respond back with the token. Something like below

{
   "access_token":"2YotnFZFEjr1zCsicMWpAA",
   "token_type":"example",
   "expires_in":3600,
   "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
   "example_parameter":"example_value"
 }

When the 3rd party access your services/resources validate the token against the client and userid and grant or deny access.

This is to get started but there can be a lot more customization that you can do with scope and other OAuth2 patterns.