Sending Additional Parameters to Token in Web API with oauth2 and AngularJS

All we need is an easy explanation of the problem, so here it is.

I’ve got an application written in AngularJS that contacts a Web API for authentication via oauth 2. Everything is working well with that core piece, but I need to pass in additional parameters to evaluate the login (clientID) and setup a remember me type functionality (remember).

From the Angular side, it would look something like this:

    var data = "grant_type=password&username=" + form.username + "&password=" + form.password + "&clientID=" + clientID + "&remember=" + form.remember;

    var deferred = $q.defer();

    $http.post(serviceBase + 'token', data, { headers: { 'Content-Type': 'application/x-www-form-urlencoded' } }).success(function (response) {

Any thoughts as the best way to capture those values once I’m processing the token through Startup.cs and SimpleAuthorizationServerProvider.cs? Thanks

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

When using GrantResourceOwnerCredentials, you can retrieve the OWIN request from OAuthGrantResourceOwnerCredentialsContext and extract the custom parameter you need by calling ReadFormAsync().

public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
    var form = await context.Request.ReadFormAsync();

    if (string.Equals(form["remember"], "true", StringComparison.OrdinalIgnoreCase))
    {
        // Add custom logic to handle the "remember me" case.
    }
}

That said, adding custom (i.e non-standard) parameters is usually discouraged, specially if they are mandatory. Note that you don’t need to use a custom clientID parameter, as there’s already a standard equivalent: client_id.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply