Generate one token per user in oauth bearer-token

Question

1.00/5 (1 vote)

See more:

hi
i create asp.net web api project and use bearer token for user authorization
problem is when send

username=xxxx&password=xxxx&grant_type=password

to http://address/Token it can generate more than one token for each user.
i want to generate one token per user how can i do this??

What I have tried:

i send username=xxxx&password=xxxx&grant_type=password as request as body of request to http://address/Token multiple time and it generate multiple token for single user

Posted 29-Jan-17 23:48pm

AminMhmdi

Updated 2-Feb-17 21:59pm

Add a Solution

Comments

Richard Deeming 30-Jan-17 9:17am

Do you mean it's returning multiple tokens within a single request? If so, show us the relevant parts of your code and configuration.

Or, do you mean it returns a different token for the same user each time you request a token? If so, that's perfectly normal, and not something you need to change.

AminMhmdi 30-Jan-17 22:06pm

it returns a different token for the same user each time i request a token,why it is normal??i want each user has one token until that token expire and get new token

Richard Deeming 31-Jan-17 8:15am

It's normal because that's the way it works. The token is an encrypted ticket representing the details of the user; it's not stored on the server. Part of the data that gets encrypted will be the expiration time, which will be different each time you request a new token.

AminMhmdi 2-Feb-17 2:57am

thank you for replay , each token have expire time,can i remove/revoke token before expire??
i do it in web page with Ajax sessionStorage.removeItem but part of my client is using QT-based app,i want to create logout for my web api.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

sonymon mishra · Answer 1 · 2017-02-02T21:59:00

Solution 1

It will create different token for each user session. This is like a one-time user token.
What you can do is:
1. Call "http://address/Token" along with username=xxxx&password=xxxx&grant_type=password as request as body.
2. Store the received token locally(in session variable if using server technologies or local storage if using SPA application).
3. Send the token in Authorization property along with the next requests.
4. Once the user logs out delete the token from the session.
5. The user is considered logged-in till the user has the one-time token with him.

Note: Log-In once and use the token for consecutive requests.

Note: If you are using more then two applications sharing the same user-token in the IIS. Then make the machine-key in the IIS App Pool for both the applications same.

Posted 2-Feb-17 21:59pm

sonymon mishra

Updated 2-Feb-17 22:00pm

v4

Comments

AminMhmdi 5-Feb-17 0:44am

i know this 5 steps,but i dont know how does code this 5 steps that you say!

sonymon mishra 5-Feb-17 23:37pm

Please let me know what technology stack are you using, so that I could help you. And please elaborate specifically what is your requirement.

sonymon mishra 5-Feb-17 23:44pm

I need these clarifications from you.
1. Which Clinteside language are you using.
2. Are you using Owin OAuth?
3. From the 5 steps on which step are you stuck?

AminMhmdi 6-Feb-17 1:11am

i remove it using sessionStorage.removeItem(key); in html page,but my client is android app that use QML i don't know how to remove this key in QML

sonymon mishra 6-Feb-17 1:20am

Please let me know the architecture of your application. Since I am unable to guess.
1. Android App ? Hybrid or Native?
2. Which server tech?

AminMhmdi 7-Feb-17 8:42am

android app ,
server use ASP.NET web api

sonymon mishra 8-Feb-17 0:58am

I understood its Android. But there are different ways of building Android Apps like
1. Native App Development-using Android SDK, Eclipse, Java, Emulator.
2. Hybrid App Development - where you use HTML/CSS/Javascript for the UI and server communications.
3. Using Xamarin.

So which method are you using?