Support the OAuth PKCE.

[daisukenishino]

Requirement

PKCE (Proof Key for Code Exchange by OAuth Public Clients)

• RFC 7636 https://tools.ietf.org/html/rfc7636
  • Is it necessary to corresponde for RFC 7636 ?
  • Can the ASP.NET Identity implement RFC 7636 ?

[daisukenishino]

Necessity

It is necessary for authentication of the public client such as mobile terminal.

• OAuth PKCE - マイクロソフト系技術情報 Wiki https://techinfoofmicrosofttech.osscons.jp/index.php?OAuth%20PKCE

[daisukenishino]

Implementation

ApplicationOAuthBearerTokenProvider

https://github.com/OpenTouryoProject/MultiPurposeAuthSite/blob/develop/root/programs/MultiPurposeAuthSite/MultiPurposeAuthSite/Models/ASPNETIdentity/TokenProviders/ApplicationOAuthBearerTokenProvider.cs

It can be implemented in the following locations corresponding to the two end points

• ApplicationOAuthBearerTokenProvider.ValidateClientRedirectUri
• ApplicationOAuthBearerTokenProvider.ValidateClientAuthentication

AuthorizationCodeProvider

https://github.com/OpenTouryoProject/MultiPurposeAuthSite/blob/develop/root/programs/MultiPurposeAuthSite/MultiPurposeAuthSite/Models/ASPNETIdentity/TokenProviders/AuthorizationCodeProvider.cs

The following class has properties of Request and Response.

• AuthenticationTokenCreateContext Class (Microsoft.Owin.Security.Infrastructure) https://msdn.microsoft.com/en-us/library/microsoft.owin.security.infrastructure.authenticationtokencreatecontext.aspx
• AuthenticationTokenReceiveContext Class (Microsoft.Owin.Security.Infrastructure) https://msdn.microsoft.com/en-us/library/microsoft.owin.security.infrastructure.authenticationtokenreceivecontext.aspx

They seem to be inherited properties from the BaseContext class respectively.

• BaseContext.Request Property (Microsoft.Owin.Security.Provider) https://msdn.microsoft.com/en-us/library/dn284274.aspx
• BaseContext.Response Property (Microsoft.Owin.Security.Provider) https://msdn.microsoft.com/en-us/library/dn284276.aspx