OWIN Bearer Token Authentication

Question

I have some questions related to Bearer Token. In Owin you can protect a ticket Protect(ticket) like this:

ClaimsIdentity identity = new ClaimsIdent         


        

Answer 1

How this token is generated/encrypted?

The data protection provider can be set using the SetDataProtectionProvider extension method on the IAppBuilder object. When this is not done, the data protection provider of the host is used. In case of IIS + ASP.NET, this is MachineKeyDataProtector in the assembly Microsoft.Owin.Host.SystemWeb. For self-hosting, this will be DPAPI. Basically, the token is encrypted and then MACed and that is what Protect() is all about.

Are there any chances that somebody can try to mess'up with the token and add some custom > claims to it?

No. This is not possible. Token protected in a machine cannot be unprotected somewhere else. An exception to that will be the case of a web farm where you have multiple machines. One machine can protect and if the subsequent request goes to some other machine, that machine should have the ability to unprotect. With DPAPI, this is not possible. With MachineKeyDataProtector, this is possible by having the same machineKey section in all the machines. But then if you are concerned about some MITM being able to do this, then no, it is not possible.