6

Our client had a requirement to integrate their API with the website that we are developing for them. And the API authentication is done via oAuth 2.0. They have provided all the necessary info as to (Client ID, Client Secret, Token Uri etc).

However we have hard time understanding the code snippet to call this via C#. We know we have to request a request token and attach that to header for the subsequent requests. We tried DotNetOpenAuth and Owin, but unable to find the actual code to implement this/did not succeed so far. Can any one help me with a small piece of C# code to achieve this?

Improve this question

2 Answers 2

Reset to default
21

To request the access token you only need to do a request posting the authentication data. This code has been extracted from a working MVC app using the resource owner password credentials grant:

using (var client = new HttpClient())
{
    var postData = new List<KeyValuePair<string, string>>();
    postData.Add(new KeyValuePair<string, string>("username", _user));
    postData.Add(new KeyValuePair<string, string>("password", _pwd));
    postData.Add(new KeyValuePair<string, string>("grant_type", "password"));
    postData.Add(new KeyValuePair<string, string>("client_id", _clientId));
    postData.Add(new KeyValuePair<string, string>("client_secret", _clientSecret));

    HttpContent content = new FormUrlEncodedContent(postData);
    content.Headers.ContentType = new MediaTypeHeaderValue("application/x-www-form-urlencoded");

    var responseResult = client.PostAsync(_tokenUrl, content).Result;

    return responseResult.Content.ReadAsStringAsync().Result;
}

I hope it helps.

EDIT

Here you have a code snippet refreshing the token:

using (var client = new HttpClient())
{
    var postData = new List<KeyValuePair<string, string>>();
    postData.Add(new KeyValuePair<string, string>("refresh_token", _refreshToken));
    postData.Add(new KeyValuePair<string, string>("grant_type", "refresh_token"));
    postData.Add(new KeyValuePair<string, string>("client_id", _clientId));
    postData.Add(new KeyValuePair<string, string>("client_secret", _clientSecret));

    HttpContent content = new FormUrlEncodedContent(postData);
    content.Headers.ContentType = new MediaTypeHeaderValue("application/x-www-form-urlencoded");

    var responseResult = client.PostAsync(_tokenUrl, content).Result;

    return responseResult.Content.ReadAsStringAsync().Result;
}

And using it:

using (var client = new HttpClient())
{
    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", _accessToken);
    HttpResponseMessage result = client.GetAsync(_url).Result;

    if (result.StatusCode == HttpStatusCode.Unauthorized)
    {
        RefreshToken(); /* Or reenter resource owner credentials if refresh token is not implemented */
        if (/* token refreshed, repeat the request using the new access token */)
        {
            client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", _newAccessToken);

            result = client.GetAsync(_url).Result;

            if (result.StatusCode == HttpStatusCode.Unauthorized)
            {
                // Process the error
            }
        }
    }

    return result;
}
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks! It appears that I can now retrieve the token (with a little modification like adding "scope" etc) . One final question before I can mark this as answer. So attaching the token with subsequent requests works just fine. However wondering if should generate token each time, or will C# handle taking the same token until it expires, and only re-generate once it is expired. What is the better way to do that? Any code example will be appreciated!
You have to attach the same token until you get 401 - Unauthorized response, then you need to get a new access token whether posting the resource owner credentials or using a refresh token if your authorization server implements this functionality. The refresh token grant request is similar to the credentials one, but is transparent to the user, that doesn't need to reenter their credentials. Please see the edited response with the new code snippet.
Thank you. I have been playing around with this. So I understand, we need to generate the key per session and during the session if the key is expired we will refresh the token. That also means, if the user closes the browser and comes back later the token will be generated when he starts using the api. Is that correct?
If you save the token in the session, it depends on the persistence of your session. Take into account that if the session expires before the token, you will need to ask for a new token when create a new session.
0 
using(var client = new HttpClient()) 
{
   var postData = new List<KeyValuePair<string, string>>();
            postData.Add(new KeyValuePair<string, string> 
                                                  ("grant_type",clientcredentials));
            postData.Add(new KeyValuePair<string, string>("client_id", clientId));
            postData.Add(new KeyValuePair<string, string>("client_secret", 
                                                               clientSecret));

            HttpContent content = new FormUrlEncodedContent(postData);
            content.Headers.ContentType = new MediaTypeHeaderValue("application/x-www- 
                                                                 form-urlencoded");
            client.DefaultRequestHeaders.Authorization = new 
                        AuthenticationHeaderValue("Basic", yourauthvalue);

            var responseResult = client.PostAsync(oauthUrl, content).Result;

}
Improve this answer

1 Comment

yourauthvalue can be gotten from using postman to test the oauth2 request

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.