Sample application

A .NET sample application is provided in this SDK and leverages the Thinktecture library to obtain, refresh, and revoke tokens and call a webservice client with the token.

The sample client showcases the functionality available by the library. The sample application is based on samples from the Thinktecture team located at: https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Clients

The sample application showcases the interaction of the client with the authorization service. This sample application does not treat the access_token or refresh_token securely. Maintaining the access_token and refresh_token secure is the responsibility of the final application and should be secured as any other existing secret.

Create client

With the provided token_endpoint, ClientId, and ClientSecret, you can construct a client to use in further interactions. You can make a request authentication using the ClientId and ClientSecret.

_oauth2 = new OAuth2Client(new Uri(OAuth2TokenEndpoint), ResourceOwnerClientId, ResourceOwnerClientSecret);

Obtain access_token

With the service account accessKey and secretKey, you can request an access token. The response type is TokenResponse. This indicates if there is an error obtaining the token. If successful, then it includes the access_token and, if available for the client, the refresh_token. 

_oauth2.RequestResourceOwnerPasswordAsync(ServiceAccountAccessKey, ServiceAccountSecretKey).Result;

Calling service

With the token from the TokenResponse, you can call the service passing the access token as a bearer token.

var client = new HttpClient
            {
                BaseAddress = new Uri(IONAPIBaseUrl)
            };
            client.SetBearerToken(token);
            var response = client.GetAsync("M3/m3api-rest/execute/CRS610MI/ChgFinancial?CUNO=Y30000&BLCD=0").Result;

Revoke access token

When the token is not needed anymore, we recommend that you revoke the access_token. Currently, the Thinktecture library does not provide a method to revoke the token. You may use this method:

private static void RevokeToken(string token, string tokenType)
{
    var client = new HttpClient();
    client.SetBasicAuthentication(ResourceOwnerClientId, ResourceOwnerClientSecret);
    var postBody = new Dictionary<string, string>
            {
                { "token", token },
                { "token_type_hint", tokenType }
            };
    var result = client.PostAsync(OAuth2TokenRevocationEndpoint, new FormUrlEncodedContent(postBody)).Result;
 
}

To revoke an access_token it should be called with these parameters:

RevokeToken(token.AccessToken, OAuth2Constants.AccessToken);

Refresh token

If a refresh token is available as part of the response, you can obtain a new access_token and refresh_token without requiring the service account credentials.

_oauth2.RequestRefreshTokenAsync(refreshToken).Result;

Revoke refresh token

If a refresh token is provided and there is no longer the need to make calls to the webservice without providing the service account credentials, then the refresh token should be revoked. Use the same method as the one provided to revoke access tokens to revoke refresh tokens.

RevokeToken(token.RefreshToken, OAuth2Constants.RefreshToken);