在两个 Web API 项目之间共享 OAuth 令牌 [英] Sharing OAuth Tokens Across Two Web API projects

问题描述

我使用 OAuth 令牌身份验证创建了一个 Web API 应用程序.当令牌服务器与服务在同一应用程序上运行时，这没有问题.但是，我想将授权服务移动到它自己的应用程序(VS 项目)中，并在我正在处理的多个 Web API 项目中使用它.但是，当我将授权逻辑隔离到它自己的项目中时，原始服务不再将生成的令牌视为有效.我的问题是，一个 Web API 项目是否有可能为另一个项目生成令牌以进行验证?这是我的 auth 服务和原始服务的 OWIN 启动代码

I have created a Web API application with OAuth token authentication. This worked without issue when the token server was running on the same application as the service. However, I'd like to move the authorization service into its own application (VS project) and use it across several Web API projects I am working on. However, when I isolated the authorization logic into it's own project the original service no longer treats the tokens generated as valid. My question is, is it possible for one Web API project to generate a token for another one to validate? Here is my OWIN startup code for both the auth service and the original service

身份验证服务:

public void Configuration(IAppBuilder app)
    {
        // For more information on how to configure your application, visit http://go.microsoft.com/fwlink/?LinkID=316888
        HttpConfiguration config = new HttpConfiguration();

        ConfigureOAuth(app);

        WebApiConfig.Register(config);
        app.UseWebApi(config);
        app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
    }

    private void ConfigureOAuth(IAppBuilder app)
    {
        OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
        {
            AllowInsecureHttp = true,
            TokenEndpointPath = new PathString("/token"),
            AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
            Provider = new SimpleAuthorizationServerProvider()
        };

        // Token Generation
        app.UseOAuthAuthorizationServer(OAuthServerOptions);
        app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
    }

原始服务:

public void Configuration(IAppBuilder app)
    {
        ConfigureOAuth(app);
        // For more information on how to configure your application, visit http://go.microsoft.com/fwlink/?LinkID=316888
        HttpConfiguration config = new HttpConfiguration();

        config.SuppressDefaultHostAuthentication();
        config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));


        WebApiConfig.Register(config);

        app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
        app.UseWebApi(config);
    }

    public void ConfigureOAuth(IAppBuilder app)
    {
        var oauthBearerOptions = new OAuthBearerAuthenticationOptions();
        app.UseOAuthBearerAuthentication(oauthBearerOptions);
    }

推荐答案

我自己在研究这个问题时偶然发现了这个 Q.TL;DR 的答案是使用 machine.config 文件中的 machineKey 属性生成令牌:如果您想在多个服务器上托管，您需要覆盖它.

Just stumbled across this Q whilst researching this myself. The TL;DR answer is that Tokens are generated using the machineKey properties in the machine.config file: if you want to host on multiple servers you need to override this.

可以在 web.config 中覆盖 MachineKey:

The MachineKey can be overridden in web.config :

<system.web>
<machineKey validationKey="VALUE GOES HERE" 
            decryptionKey="VALUE GOES HERE" 
            validation="SHA1" 
            decryption="AES"/>
</system.web>

机器密钥应该在本地生成 - 使用在线服务不安全.用于生成密钥的知识库文章

Machine Keys should be generated locally - using an online service is not secure. KB Article for generating keys

所有这些的原始参考 http://bitoftech.net/2014/09/24/decouple-owin-authorization-server-resource-server-oauth-2-0-web-api

这篇关于在两个 Web API 项目之间共享 OAuth 令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！