ASP.Net Identity 2 – custom response from OAuthAuthorizationServerProvider

This question is continuation of my previous one: ASP.Net Identity 2 login using password from SMS – not using two-factor authentication

I’ve build my custom OAuthAuthorizationServerProvider to support custom grant_type.
My idea was to create grant_type of sms that will allow user to generate one-time access code that will be send to his mobile phone and then user as password when sending request with grant_type of password.

Now after generating, storing and sending via SMS that password I’d like to return custom response, not token from my GrantCustomExtension.

public override async Task GrantCustomExtension(OAuthGrantCustomExtensionContext context)
    const string allowedOrigin = "*";
    context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] {allowedOrigin});

    if (context.GrantType != "sms")
        context.SetError("invalid_grant", "unsupported grant_type");

    var userName = context.Parameters.Get("username");

    if (userName == null)
        context.SetError("invalid_grant", "username is required");

    var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();

    ApplicationUser user = await userManager.FindByNameAsync(userName);

    if (user == null)
        context.SetError("invalid_grant", "user not found");

    var generator = new TotpSecurityStampBasedTokenProvider<ApplicationUser, string>();
    await userManager.UpdateSecurityStampAsync(user.Id);
    var accessCode = await generator.GenerateAsync("SMS", userManager, user);

    var accessCodeExpirationTime = TimeSpan.FromMinutes(5);

    var result = await userManager.AddAccessCode(user, accessCode, accessCodeExpirationTime);

        Debug.WriteLine("Login code:"+accessCode);
        //here I'll send login code to user phone via SMS

    //return 200 (OK)
    //with content type="application/json; charset=utf-8"
    //and custom json content {"message":"code send","expires_in":300}

    //skip part below

    ClaimsIdentity oAuthIdentity = await user.GenerateUserIdentityAsync(userManager, "SMS");

    var ticket = new AuthenticationTicket(oAuthIdentity, null);



How can I stop generating token and return custom response from OAuthAuthorizationServerProvider?

I’m aware of two methods: TokenEndpoint, TokenEndpointResponse, but I’d like to override whole response, not just token.

For now I’m creating temporary ClaimsIdentity in GrantCustomExtension using code below:

var ci = new ClaimsIdentity();
ci.AddClaim(new Claim("message","send"));
ci.AddClaim(new Claim("expires_in", accessCodeExpirationTime.TotalSeconds.ToString(CultureInfo.InvariantCulture)));

and I’m overriding TokenEndpointResponse:
public override Task TokenEndpointResponse(OAuthTokenEndpointResponseContext context)
    if (context.TokenEndpointRequest.GrantType != "sms") return base.TokenEndpointResponse(context);
    //clear response containing temporary token.
    HttpContext.Current.Response.SuppressContent = true;
    return Task.FromResult<object>(null);

This has two issues: when calling context.Validated(ci); I’m saying this is a valid user, but instead I’d like to response information that I’ve send access code via SMS.
HttpContext.Current.Response.SuppressContent = true; clears response, but I’d like to return something instead of empty response.


Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

This is more of a workaround then a final solution, but I believe it is the most reliable way of solving your issue without rewriting tons of code from the default OAuthAuthorizationServerProvider implementation.

The approach is simple: use a Owin middleware to catch token requests, and overwrite the response if an SMS was sent.

[Edit after comments] Fixed the code to allow the response body to be buffered and changed as per this answer

Inside your Startup.cs file:

public void Configuration(IAppBuilder app)
    var tokenPath = new PathString("/Token"); //the same path defined in OAuthOptions.TokenEndpointPath

    app.Use(async (c, n) =>
        //check if the request was for the token endpoint
        if (c.Request.Path == tokenPath)
            var buffer = new MemoryStream();
            var body = c.Response.Body;
            c.Response.Body = buffer; // we'll buffer the response, so we may change it if needed

            await n.Invoke(); //invoke next middleware (auth)

            //check if we sent a SMS
            if (c.Get<bool>("sms_grant:sent"))
                var json = JsonConvert.SerializeObject(
                        message = "code send",
                        expires_in = 300

                var bytes = Encoding.UTF8.GetBytes(json);

                buffer.SetLength(0); //change the buffer
                buffer.Write(bytes, 0, bytes.Length);

                //override the response headers
                c.Response.StatusCode = 200;
                c.Response.ContentType = "application/json";
                c.Response.ContentLength = bytes.Length;

            buffer.Position = 0; //reset position
            await buffer.CopyToAsync(body); //copy to real response stream
            c.Response.Body = body; //set again real stream to response body
            await n.Invoke(); //normal behavior

    //other owin middlewares in the pipeline

    //app.UseWebApi( .. );

And inside your custom grant method:
// ...
var result = await userManager.AddAccessCode(user, accessCode, accessCodeExpirationTime);

    Debug.WriteLine("Login code:"+accessCode);
    //here I'll send login code to user phone via SMS

context.OwinContext.Set("sms_grant:sent", true);

//you may validate the user or set an error, doesn't matter anymore
//it will be overwritten

Method 2

I would recommend to have a look at this answer :

public override Task TokenEndpoint(OAuthTokenEndpointContext context)
    foreach (KeyValuePair<string, string> property in context.Properties.Dictionary)
        context.AdditionalResponseParameters.Add(property.Key, property.Value);

    return Task.FromResult<object>(null);

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x