Based on the great example by Shaun Luttin at I was able to use that code to generate and consume bearer tokens. Minor changes were to get the latest packages:
"dependencies": {
"Microsoft.AspNet.Authentication.JwtBearer": "1.0.0-rc1-final",
"AspNet.Security.OpenIdConnect.Server": "1.0.0-beta4"
Although the code is a great start, it's not a complete solution that integrates w/ ASP.NET Identity completely. I modified AuthorizationProvider class as follows:
public override Task GrantResourceOwnerCredentials(
GrantResourceOwnerCredentialsContext context)
var user = _userManager.FindByNameAsync(context.UserName).Result;
if (user == null)
context.Rejected("The user name or password is incorrect.");
var signInManager = context.HttpContext.RequestServices
if (signInManager.CanSignInAsync(user).Result &&
_userManager.CheckPasswordAsync(user, context.Password).Result)
var principal = signInManager.CreateUserPrincipalAsync(user).Result;
//To avoid leaking confidential data, AspNet.Security.OpenIdConnect.Server
//refuses to serialize the claims that don't explicitly specify a destination.
foreach (var claim in principal.Claims)
claim.WithDestination("token id_token");
context.Rejected("The user name or password is incorrect.");
return Task.FromResult(0);
I'm using CreateUserPrincipalAsync to create the ClaimsPrincipal for the Validated method. Is there a better way to integrate w/ ASP.NET Identity?
Your implementation looks fine, minor 3 remarks:
to avoid the .Result
blocking calls.The last two points are mitigated in OpenIddict
(a whole new experimental OIDC server that uses AspNet.Security.OpenIdConnect.Server
internally), so don't hesitate to take a look at its default implementation: