Owin.Security.OAuth上的Authorization_code授予流:返回invalid_grant [英] Authorization_code grant flow on Owin.Security.OAuth: returns invalid_grant
问题描述
我正在尝试使用authorization_code授予流程设置身份验证.我以前曾与grant_type=password一起使用过,所以我有点知道这些东西应该如何工作.但是,当使用grant_type=authorization_code时,我无法使其返回invalid_grant
I am trying to setup my authentication using the authorization_code grant flow. I had it previously working with grant_type=password, so I kind of know how the stuff is supposed to work. But when using grant_type=authorization_code, I couldn't make it return anything other than invalid_grant
这是我的设置:
app.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions
{
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/auth/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(5),
Provider = new SampleAuthProvider()
});
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
{
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
AuthenticationType = "Bearer"
});
SampleAuthProvider是以下类: https://gist.github.com/anonymous/8a0079b705423b406c00
SampleAuthProvider is the following class: https://gist.github.com/anonymous/8a0079b705423b406c00
基本上,它只是记录每个步骤并进行验证.我尝试了该请求:
Basically, it's just logging every step and validating it. I tried the request:
POST http://localhost:12345/auth/token
grant_type=authorization_code&code=xxxxxx&client_id=xxxxx&redirect_uri=https://xxxx.com/
Content-Type: application/x-www-form-urlencoded
正在经历:
-
OnMatchEndpoint -
OnValidateClientAuthentication
OnMatchEndpointOnValidateClientAuthentication
仅此而已.我希望它能调用OnValidateTokenRequest和OnGrantAuthorizationCode next,但是没有.我不知道为什么.
And that's all. I expected it to call OnValidateTokenRequest and OnGrantAuthorizationCodenext, but it just didn't. I have no idea why.
请求中的xxxx不是占位符,我这样尝试过.也许中间件自己进行一些检查并因此拒绝请求?我尝试了redirect_uri和http的变体,没有任何协议,没有斜杠...
The xxxx's in the request aren't placeholders, I tried it like that. Maybe the middleware makes some checks on its own and rejects the request because of that? I tried variants of the redirect_uri with http, without any protocol, without trailing slash...
它也可以与自定义grant_type一起正常使用.因此,如果我太绝望了,我想我可以用它来模拟authorization_code,但我宁愿不必那样做.
It also works properly with a custom grant_type. It so if I too desperate, I guess I can use that to simulate authorization_code, but I'd rather not have to do that.
TL; DR
使用grant_type=authorization_code时,我的OAuthAuthorizationServerProvider在OnValidateClientAuthentication之后返回{"error":"invalid_grant"}.
My OAuthAuthorizationServerProvider returns {"error":"invalid_grant"}after OnValidateClientAuthentication when using grant_type=authorization_code.
- 为什么停在那里?
- 我该如何使整个该死的事情起作用?
感谢您的帮助!
修改
正如RajeshKannan指出的那样,我在配置中犯了一个错误.我没有提供AuthorizationCodeProvider实例.但是,这并不能完全解决问题,因为在我的情况下,代码不是由AuthorizationCodeProvider发出的,我不能对它进行反序列化.我忙于解决方法.
As pointed out by RajeshKannan, I made a mistake in my configuration. I didn't provide an AuthorizationCodeProvider instance. However, that didn't completely solve the problem, since in my case, the code is not issued by the AuthorizationCodeProvider, and I can't just deserialize it. I anwered with the workaround I got working.
推荐答案
这就是我正在工作的内容.我对该解决方案并不完全满意,但是它可以正常工作,应该可以帮助其他人解决问题.
Here is what I got working. I'm not completely comfortable with that solution, but it works and should help others to fix their issues.
所以,问题是我没有设置AuthorizationCodeProvider属性.收到带有grant_type=authorization_code的请求时,该代码提供者必须验证该代码.该框架假定该代码是由该代码提供者发出的,但这不是我的情况.我是从另一台服务器上获得的,必须将代码发送回去进行验证.
So, the issue is that I didn't set the AuthorizationCodeProvider property. When a request with grant_type=authorization_code is received, the code must be validated by that code provider. The framework assumes that the code was issued by that code provider, but that's not my case. I get it from another server and have to send the code back to it for validation.
在标准情况下,您也是发出代码的人,RajeshKannan提供的链接描述了您必须执行的所有操作.
In the standard case, where you are also the one issuing the code, the link provided by RajeshKannan describes everything you have to do.
您必须在此处设置属性:
Here is where you have to set the property:
app.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString(Paths.TokenPath),
Provider = new SampleAuthProvider(),
AuthorizationCodeProvider = new MyAuthorizationCodeProvider ()
}
以及MyAuthorizationCodeProvider类的声明:
internal class MyAuthorizationCodeProvider : AuthenticationTokenProvider
{
public override async Task ReceiveAsync(
AuthenticationTokenReceiveContext context)
{
object form;
// Definitely doesn't feel right
context.OwinContext.Environment.TryGetValue(
"Microsoft.Owin.Form#collection", out form);
var redirectUris = (form as FormCollection).GetValues("redirect_uri");
var clientIds = (form as FormCollection).GetValues("client_id");
if (redirectUris != null && clientIds != null)
{
// Queries the external server to validate the token
string username = await MySsoService.GetUserName(context.Token,
redirectUris[0]);
if (!string.IsNullOrEmpty(username))
{
var identity = new ClaimsIdentity(new List<Claim>()
{
// I need the username in GrantAuthorizationCode
new Claim(ClaimTypes.NameIdentifier, username)
}, DefaultAuthenticationTypes.ExternalBearer);
var authProps = new AuthenticationProperties();
// Required. The request is rejected if it's not provided
authProps.Dictionary.Add("client_id", clientIds[0]);
// Required, must be in the future
authProps.ExpiresUtc = DateTimeOffset.Now.AddMinutes(1);
var ticket = new AuthenticationTicket(identity, authProps);
context.SetTicket(ticket);
}
}
}
}
这篇关于Owin.Security.OAuth上的Authorization_code授予流:返回invalid_grant的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
