OWIN OAuth 2.0 Authorization Server

https://docs.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server

The OAuth 2.0 framework enables a third-party app to obtain limited access to an HTTP service. Instead of using the resource owner's credentials to access a protected resource, the client obtains an access token (which is a string denoting a specific scope, lifetime, and other access attributes). Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner.

This tutorial will cover:

• How to create an authorization server to support four authorization grant types and refresh tokens:
  • Authorization code grant
  • Implicit Grant
  • Resource Owner Password Credentials Grant
  • Client Credentials Grant
• Creating a resource server which is protected by an access token.
• Creating OAuth 2.0 clients.

app.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions
     {Provider = new OAuthAuthorizationServerProvider
     {
         OnValidateClientRedirectUri = ValidateClientRedirectUri,
         OnValidateClientAuthentication = ValidateClientAuthentication,
         OnGrantResourceOwnerCredentials = GrantResourceOwnerCredentials,
         OnGrantClientCredentials = GrantClientCredetails
     }};

// Summary:
// Called when a request to the Token endpoint arrives with a "grant_type" of "client_credentials".
// This occurs when a registered client application wishes to acquire an "access_token"
// to interact with protected resources on it's own behalf, rather than on behalf
// of an authenticated user. If the web application supports the client credentials
// it may assume the context.ClientId has been validated by the ValidateClientAuthentication
// call. To issue an access token the context.Validated must be called with a new
// ticket containing the claims about the client application which should be associated
// with the access token. The application should take appropriate measures to ensure
// that the endpoint isn’t abused by malicious callers. The default behavior is
// to reject this grant type. See also http://tools.ietf.org/html/rfc6749#section-4.4.2

public Func<OAuthGrantClientCredentialsContext, Task> OnGrantClientCredentials { get; set; }