I get “Authorization has been denied for this request.” error message when using OWIN oAuth middleware (with separate Auth and Resource Server)

Question

I am attempting to decouple my auth and resource server. I am following the example provided in this tutorial:

http://bitoftech.net/2014/09/24/decouple-owin-authoriz

Answer 1

June 6 2018 update - using the latest WebAPI and OWIN packages. I've been banging my head against this problem for more than I would like to admit. None of the above suggestions worked for me, things suddenly started working once I added a certain project dependency that I wasn't even using in my code: the Microsoft.Owin.Host.SystemWeb NuGet package. This setup is way too finicky and black-boxed for my taste, I don't know why it works like this, but here's what I did.

The minimal setup that I needed for the resource service (the authentication/token service was already setup):

• add references to Microsoft.Owin.Security.Oauth and Microsoft.Owin.Host.SystemWeb

• create a startup.cs file with the following content:

  using Microsoft.Owin;
  using Owin;
  using Microsoft.Owin.Security.OAuth;
  
  [assembly: OwinStartup(typeof(MyProject.Startup))]
  
  namespace MyProject
  {
      public class Startup
      {
          public void Configuration(IAppBuilder app)
          {
              app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions{ });
          }
      }
  }
  

• Add the following to your Web.config file in the <appSettings> section

<add key="owin:appStartup" value="MyProject.Startup" />

• Add the machineKey entry in your Web.config file in the <system.web> section. If you need to generate it, search around, there is a lot of info on that out there. You can use this as a starting point: http://bitoftech.net/2014/09/24/decouple-owin-authorization-server-resource-server-oauth-2-0-web-api/
• Add the [Authorize] attribute to your controllers/routes.

Answer 2

In your OwinStartup class, IAppBuilder.UseOAuthBearerTokens() needs to be called BEFORE IAppBuilder.UseWebApi()

public void Configuration(IAppBuilder app)
{
    app.UseOAuthBearerTokens(...);
    app.UseWebApi(...);
}

Answer 3

I was also receiving the error message 'Authorization has been denied for this request', although I don't have separate auth and resource servers.

I am using Ninject's OwinHost and had it configured in Startup before configuring OAuth, as follows:

public void Configuration(IAppBuilder app)
{
    var config = new HttpConfiguration();

    app.UseNinjectMiddleware(() =>
    {
        var kernel = new StandardKernel();
        kernel.Load(Assembly.GetExecutingAssembly());
        return kernel;
    }).UseNinjectWebApi(config);

    ConfigureOAuth(app);

    WebApiConfig.Register(config);
    app.UseCors(CorsOptions.AllowAll);
    app.UseWebApi(config);
}

I found that moving the Ninject configuration to the end resolved the problem, like so:

public void Configuration(IAppBuilder app)
{
    var config = new HttpConfiguration();

    ConfigureOAuth(app);

    WebApiConfig.Register(config);
    app.UseCors(CorsOptions.AllowAll);
    app.UseWebApi(config);

    app.UseNinjectMiddleware(() =>
    {
        var kernel = new StandardKernel();
        kernel.Load(Assembly.GetExecutingAssembly());
        return kernel;
    }).UseNinjectWebApi(config);
}

Maybe your problem is to do with the startup order of your middleware.

Answer 4

I just came across the same problem and found the solution:

You need to register the OAuth Token Generator and OAuth Token Consumer things before WebAPI is registered.

Kind of makes sense if you think of this as a pipeline, where Authentication/Authorization should come before any request handling by the controllers.

TL;DR: Change

appBuilder.UseWebApi(config);

this.ConfigureOAuthTokenGenerator(appBuilder);
this.ConfigureOAuthConsumer(appBuilder);

To

this.ConfigureOAuthTokenGenerator(appBuilder);
this.ConfigureOAuthConsumer(appBuilder);

appBuilder.UseWebApi(config);

Answer 5

I was facing exactly the same problem in the last couple of days, although I host both application on the same machine (different ports) but it didn't work without adding machine key both web.config files and make sure that the same packages version number installed in both applications

Answer 6

For me, the problem was a mismatched version number in Owin packeges:

 <dependentAssembly>
    <assemblyIdentity name="Microsoft.Owin" publicKeyToken="31bf3856ad364e35" />
    <bindingRedirect oldVersion="0.0.0.0-3.0.1.0" newVersion="3.0.1.0" />
  </dependentAssembly>
  <dependentAssembly>
    <assemblyIdentity name="Microsoft.Owin.Security.OAuth" publicKeyToken="31bf3856ad364e35" />
    <bindingRedirect oldVersion="0.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
  </dependentAssembly>
  <dependentAssembly>
    <assemblyIdentity name="Microsoft.Owin.Security.Cookies" publicKeyToken="31bf3856ad364e35" />
    <bindingRedirect oldVersion="0.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
  </dependentAssembly>
  <dependentAssembly>
    <assemblyIdentity name="Microsoft.Owin.Security" publicKeyToken="31bf3856ad364e35" />
    <bindingRedirect oldVersion="0.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
  </dependentAssembly>

After updating the required older packages, everything worked like a charm. :)