How will you implement the 2 factor authentication with OAuth Token based ?
@alper For now, there is no 2-Factor requirement and we do not foresee in the future too. But mainly on "Refresh Token" to further enhance existing MVC5AJ1 Token-based Authentication to ensure Mobile Client is NOT provided with long-live Access Token but short-live with a Refresh Token. From my research, this is quite a standard practice; however, it's missing from ASPNet Zero at this moment.
There is still one thing the puzzled me until now despite the explanation given so far. What's the difference between the Access Token generated from ASPNet Zero using "OAuthBearerOptions.AccessTokenFormat.Protect(ticket)" and the one that's being generated based on OAuth that implements an Authentication Provider ("OAuthAuthorizationServerProvider") that uses "GrantResourceOwnerCredentials".
Especially, how these two tokens are affecting the Roles and Permissions set in ASPNet Zero?
We successfully implemented OAuth token. Using Postman, the Roles/Permissions assigned to the same user based on endpoints:
Both seems to behave the same way based on simple test cases. We will be very grateful if you have additional sharing.
We have to continue on with "Refresh Token" that is straining the progress right now.