My first OSS project – DOAP

At work I’m developing a web api for a project that is to be used be several devices and possibly by 3rd parties; I was having a discussion with a few colleagues about the best way to secure this api and this eventually moved on to OAuth.  The choice we faced was do we go with the existing and finalised OAuth protocol or do we take a chance and jump on board with OAuth 2 and all the benefits  it brings, the choice was easy we needed or api to work on mobile devices, desktop apps and a whole host of non-web based apps.

Next step was to see if there was an existing library that allowed us to be a provider. Two that came up (did I mention this was a .Net project?) were DotNetOpenAuth and another one which I’ve just forgotten. I played about with both attempting to get it up and running but had some difficulty. Neither library suited my needs so I decided to try and build one my self; and I did 🙂

I had a read through the PHP implementation and read the protocol draft several times over and what I developed is my  best interpretation of it. The project I was working on required the use of the assertion/password/refresh grants and that’s all I’ve tested so far. Hopefully someone will give the others a try too.

Source: //

License: MIT

Dependencies: WCFRestContrib (only for the WCF helper attributes)


The project I’m working on has the api provided via WCF and obviously I had to get my OAuth implementation working with WCF (With a huge help from the fantastic WCFRestContrib library). Check out the example in the github repo to see a working version.


DotNet OAuth Provider of course.

There is no binaries yet, not until the draft is finalised or someone requests it. It’s easy to build any way as there are barley any dependencies.

I’ll make a post of how to set it up soon but until then hopefully the example is enough to get you going.


  • September 14, 2011 - 1:17 pm | Permalink

    Hello tony,

    I wanted to thank you for sharing your code, as it helped a lot. I wanted to ask a few questions I find hard to find.

    If you could answer them, it would be great :
    Nonces are not anymore part of Oauth2, right?

    Have you advanced to another draft above 10 in your code ?

    I am wondering wether to use dotnetopenauth, which is kind of complex, or to go with your code, trying to avoid to write my own implementation.

    either way, thanks a lot for sharing.

    in my case, it’s oauth 2.0 for a mobile application implementation, which mainly requires authentication from an existing public application, to authorize access to personnal data.

    Kind Regards,
    Dinia (O.D.)

    • September 20, 2011 - 11:53 am | Permalink

      Hey Dinia,

      Sorry for the delay; I haven’t had much time to work on the oauth stuff for a while, especially since the specification isn’t ratified. As of this time the oauth 2.0 is on draft 21 and my code is very out of date, I do have plans to work on it but not until the spec is complete.

      Feel free to use other peoples code or if you want to help you could fork my code.


  • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.