How are bearer tokens stored server-side in Web API 2?

authentication asp.net-web-api owin

Solution 1:

  1. They're not stored server side -- they're issued to the client and the client presents them on each call. They're verified because they're signed by the owin host's protection key. In SystemWeb hosting, that protection key is the machineKey setting from web.config.

  2. That's unnecessary, as long as the protection key the owin host uses doesn't change across server restarts.

  3. A client can hold onto a token for as long as the token is valid.

Solution 2:

For those who are looking for how to set web.config, here is a sample

<system.web>
<machineKey validation="HMACSHA256" validationKey="64-hex"
                 decryption="AES" decryptionKey="another-64-hex"/>
</system.web>

You need both validationKey and decriptionkey to make it work.

And here is how to generate keys https://msdn.microsoft.com/en-us/library/ms998288.aspx

Solution 3:

To add to this, the token can be persisted server side using the SessionStore property of of CookieAuthenticationOptions. I wouldn't advocate doing this but it's there if your tokens become excessively large.

This is an IAuthenticationSessionStore so you could implement your own storage medium.

Related

Are there tuples in PHP?
Why is hasNext() False, but hasNextLine() is True?
Why doesn't Python have switch-case?
Difference among mavenCentral(), jCenter() and mavenLocal()?
Call function without optional arguments if they are None
Is there a nice way to assign std::minmax(a, b) to std::tie(a, b)?
How get to Orgrimmar from 1st lvl Garrison?
Where do the red (unlucky) cookies come from?
What is the prompt of a pikachu wagging a joycon mean?
Why I encountered Diablo in The Forgotten Tower in Diablo II?
How do I get legendaries at my level?
How do I make buses and trams run faster than walking speed?