[Route("api/forge/callback/oauth")] // see Web.Config FORGE_CALLBACK_URL variable public async Task <HttpResponseMessage> OAuthCallback(string code, string state) { ThreeLeggedApi oauth = new ThreeLeggedApi(); DynamicDictionary bearer = await oauth.GettokenAsync(ConfigVariables.FORGE_CLIENT_ID, ConfigVariables.FORGE_CLIENT_SECRET, oAuthConstants.AUTHORIZATION_CODE, code, ConfigVariables.FORGE_CALLBACK_URL); // the local_id of the requester machine should be provised on the original // login call as passed as state if (!string.IsNullOrWhiteSpace(state)) { bearer.Dictionary.Add("local_id", state); } // the respose come with expires_in in minutes, so let's also store the absolute time bearer.Dictionary.Add("expires_at", DateTime.UtcNow.AddSeconds((long)bearer.Dictionary["expires_in"])); // at this point we can store the access & refresh token on a database and return // the respective DB unique ID, that way the application can refresh the token in // and the client will not see it. string sessionIdUnprotected = await OAuthDB.RegisterUser(bearer); // and encrypt the database ID to send to the user string sessionIdProtected = Convert.ToBase64String(System.Web.Security.MachineKey.Protect(Encoding.UTF8.GetBytes(sessionIdUnprotected))); // return to user HttpResponseMessage res = Request.CreateResponse(System.Net.HttpStatusCode.OK); res.Content = new StringContent(sessionIdProtected, Encoding.UTF8, "text/plain"); return(res); }