缩短由OWIN在ASP.NET WebAPI 2中返回的访问令牌 [英] Shorten access token returned by OWIN in ASP.NET WebAPI 2

问题描述

我们已经使用ASP.NET WebAPI 2和APT开发了REST API.使用ASP.NET Identity对其进行保护.客户端要求将其令牌设置为较长的​​到期时间，因为他们将访问令牌存储在数据库中.

We've developed a REST API using ASP.NET WebAPI 2 & secured it using ASP.NET Identity. The client required that their token be set to a long expiration time, as they store the access token in their database.

在测试期间，他们要求我们减少令牌的长度，因为他们的数据库只能处理最多250个字符的字符串.我们的实现非常香草".以下是我们当前为不记名令牌设置的选项:

During testing, they requested that we reduce the length of the token, as their database can only handle strings up to 250 characters. Our implementation is pretty "vanilla". Below are the options we're currently setting for the bearer token:

OAuthOptions = new OAuthAuthorizationServerOptions {
    TokenEndpointPath = new PathString("/oauth/2/token"),
    Provider = new ApplicationOAuth2Provider(PublicClientId),
    AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
    AccessTokenExpireTimeSpan = TimeSpan.FromDays(1000000),
    AllowInsecureHttp = true
};

我们如何将令牌缩短到250个字符的限制?我注意到一些与设置自定义访问令牌格式化程序等有关的属性，但是不确定如何实现这些&限制和陷阱是什么?

How would we go about shorting the token to the 250 character limit? I've noticed some properties relating to setting custom access token formatters etc, but am unsure on how to implement these & what the restrictions and\or pitfalls are.

任何帮助将不胜感激.

推荐答案

答案是肯定的.

由于客户端只是将相同的令牌字符串发送回服务器，因此您可以发送令牌的哈希值.

Since client just sends the same token string back to server, you can send a hash value of the token.

我所做的是使用GUID表示令牌，该令牌只有32个字符.并将映射信息(GUID =>令牌)存储在服务器端.当用户尝试通过GUID进行身份验证时，您可以从存储令牌的位置读取REALLY令牌，然后反序列化票证.

What I do is using a GUID to represent the token, which is only 32 chars. And store the mapping information (GUID => token) on the server side. When user tries to authenticate by the GUID, you can read the REALLY token from where you stores it, then deserialize the ticket.

这是示例代码，核心是重写 OAuthAuthorizationServerOptions 类的 OnCreate / OnReceive 方法.您可能还想覆盖 OnCreateAsync 和 OnReceiveAsync .

Here is the sample code, the core is to override OnCreate/OnReceive method of OAuthAuthorizationServerOptions class. You may also want to override OnCreateAsync and OnReceiveAsync.

OAuthOptions = new OAuthAuthorizationServerOptions
{
    TokenEndpointPath = new PathString("/Token"),
    Provider = new ApplicationOAuthProvider(PublicClientId),
    AccessTokenProvider = new AuthenticationTokenProvider
    {
        OnCreate = (context) =>
        {
            var token = context.SerializeTicket();
            var guid = Guid.NewGuid().ToString("N");
            // You need to implement your own logical here, for example, store the mapping (guid => token) into database
            RedisServer.SetValue(guid, token, TimeSpan.FromDays(Consts.AccessTokenExpireDays)); 
            context.SetToken(guid);
        },
        OnReceive = (context) =>
        {
            var token = RedisServer.GetValue(context.Token);
            context.DeserializeTicket(token);
        }
    },
    AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
    AccessTokenExpireTimeSpan = TimeSpan.FromDays(Consts.AccessTokenExpireDays),
    // In production mode set AllowInsecureHttp = false
    AllowInsecureHttp = true,
};

这篇关于缩短由OWIN在ASP.NET WebAPI 2中返回的访问令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！