丰富的Twitter数字/带有OpenIdDictServer的Google Auth [英] Rich Twitter Digits/Google Auth with OpenIdDictServer
问题描述
我们的应用要求使用手机号码或Google登录.我们计划使用Twitter Digits进行手机号码身份验证.
Our app requires sign-in by either mobile number or Google. We are planning to Twitter Digits for mobile number authentication.
据我了解,注册和身份验证的流程如下:
The flow of registration and authentication as I understand is as below:
-
移动应用使用Twitter Digits或Google Sign In进行丰富身份验证(最好的用户体验是,用户无需打开网络浏览器标签即可进行丰富身份验证). Twitter Digits/Google登录返回身份令牌.
Mobile app does rich authentication with Twitter Digits or Google Sign In (it’s better user experience for the user to do rich auth instead of opening a web browser tab). Twitter Digits / Google Sign In returns Identity Token.
移动应用程序调用AuthServer进行登录并显示身份令牌.
Mobile app calls AuthServer to SignIn and presents Identity Token.
身份服务器使用Digits服务或Google Auth服务验证显示的身份令牌.
Identity server validates the presented Identity Token with Digits service or Google Auth Service.
验证完成后,AuthServer将尝试查找用户,如果不存在,它将创建一个用户.
Once verified, AuthServer would try to find the user, if not present it will create one.
AuthServer将访问令牌返回到移动应用.
AuthServer returns Access Token to the mobile app.
现在,我正在寻找实施步骤3-4的选项.
Now, I am looking for options to implement step #3-4.
当前,我要做的是修改令牌端点代码,该代码以用户名作为电话号码或电子邮件地址,以及以Google/Twitter数字ID令牌发送的密码.现在,由于身份验证服务器需要知道发送的密码实际上是一个令牌,需要使用第三方服务进行验证,因此我通过在TokenHint中发送服务名称"Digits"或"Google"来解决该问题.
Currently, what I have done is to modify token end-point code that takes in username as phone number or email address and password sent as Google/Twitter Digits ID token. Now, since auth server needs to know that the password sent is actually a token that needs to be verified with a third party service, I worked around it by sending service name "Digits" or "Google" in TokenHint.
这很好,但是我想知道支持我试图实现的目标的最干净的方法是什么.
This works very well, but I am wondering what is the cleanest way to support what I am trying to achieve.
推荐答案
这很好,但是我想知道支持我试图实现的目标的最干净的方法是什么.
This works very well, but I am wondering what is the cleanest way to support what I am trying to achieve.
我个人会使用自定义赠款类型:
I'd personally go with a custom grant type:
[HttpPost("~/connect/token")]
[Produces("application/json")]
public IActionResult Exchange(OpenIdConnectRequest request)
{
if (request.GrantType == "urn:ietf:params:oauth:grant-type:google_identity_token")
{
// Reject the request if the "assertion" parameter is missing.
if (string.IsNullOrEmpty(request.Assertion))
{
return BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidRequest,
ErrorDescription = "The mandatory 'assertion' parameter was missing."
});
}
// Create a new ClaimsIdentity containing the claims that
// will be used to create an id_token and/or an access token.
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
// Manually validate the identity token issued by Google,
// including the issuer, the signature and the audience.
// Then, copy the claims you need to the "identity" instance.
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetScopes(
OpenIdConnectConstants.Scopes.OpenId,
OpenIdConnectConstants.Scopes.OfflineAccess);
return SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme);
}
return BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.UnsupportedGrantType,
ErrorDescription = "The specified grant type is not supported."
});
}
请注意,您还必须在OpenIddict选项中启用它:
Note that you'll also have to enable it in the OpenIddict options:
// Register the OpenIddict services.
services.AddOpenIddict()
// Register the Entity Framework stores.
.AddEntityFrameworkCoreStores<ApplicationDbContext>()
// Register the ASP.NET Core MVC binder used by OpenIddict.
// Note: if you don't call this method, you won't be able to
// bind OpenIdConnectRequest or OpenIdConnectResponse parameters.
.AddMvcBinders()
// Enable the token endpoint.
.EnableTokenEndpoint("/connect/token")
// Enable the refresh token flow and a custom grant type.
.AllowRefreshTokenFlow()
.AllowCustomFlow("urn:ietf:params:oauth:grant-type:google_identity_token")
// During development, you can disable the HTTPS requirement.
.DisableHttpsRequirement();
在发送令牌请求时,请确保使用正确的grant_type并将id_token作为assertion参数发送,并且应该可以使用.
When sending a token request, make sure to use the right grant_type and to send your id_token as the assertion parameter, and it should work.
以下是使用Facebook访问令牌的示例:
Here's an example using Facebook access tokens:
在实施令牌验证例程时,请非常小心,因为此步骤特别容易出错.验证包括观众在内的所有内容非常重要(否则,您的服务器将是容易受到混乱的副手攻击).
Be extremely careful when implementing the token validation routine, as this step is particularly error-prone. It's really important to validate everything, including the audience (otherwise, your server would be vulnerable to confused deputy attacks).
这篇关于丰富的Twitter数字/带有OpenIdDictServer的Google Auth的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
