In what seems like an elementary scenario, calling a GET method in my OAuth2/OWIN-protected server prevents the server from receiving the Windows identity on subsequent POSTS to the /token endpoint. What am I doing wrong?
This is a Web API service that includes an embedded OAuth2 authorization server and Microsoft's OWIN pipeline.
The authorization server provider inherits from OAuthAuthorizationServerProvider
, and is installed in my Startup
class. It overrides both GrantResourceOwnerCredentials
(for username/password authentication) and GrantClientCredentials
(for the client_credentials grant_type).
Here's the problem. If I configure the service for Windows authentication the following ensues.
- Client POSTS to my /token endpoint to get a token.
- Client's Windows identity arrives at the server in the
GrantClientCredentials
method's context parameter (specifically,context.Request.User
). I can give him an appropriate token usingcontext.Validated(id)
, where id is aClaimsIdentity
appropriate to his credentials. - Let's say client even POSTS again to get another token. Again, his credentials come to the server in
context.Request.User
. All is well. - Client does a GET to my API endpoint, including the token.
- Server can inspect the claims in the token. All is still well.
- Either the same client or a different client POSTs to get another token.
- This time,
context.Request.User
arrives as null. PROBLEM!!! - If I restart the server, everything is set right. Restarting the browser does not help.
These symptoms happen whether running with IIS Express or real IIS.
The problem exists only for Windows authentication. When Anonymous authentication is turned on and a username/password duo passed, the credentials arrive safely in step 7.
FWIW, I have not yet programmed anything pertaining to a client_id
or "secret". Still working on figuring that part out. If that's the problem, I'd appreciate help in how to issue a client_id and secret.