ASP.NET的Web API和OpenID连接：如何从授权code获得访问令牌 [英] ASP.NET Web API and OpenID Connect: how to get Access Token from Authorization Code

问题描述

我试图让OpenID的连接运行......我的Web API的用户得到了一个OpenID的连接提供商的授权code。我怎么这个code传递给我的ASP.NET Web API？我如何必须配置OWIN中间件，这样我可以使用授权code获得访问令牌？

I try to get OpenID Connect running... A user of my Web API managed to get an Authorization Code of a OpenID Connect Provider. How am I supposed to pass this code to my ASP.NET Web API? How do I have to configure OWIN Middleware such that I can get an Access Token using the Authorization Code?

更新：
一个水疗中心使用AJAX与我的web服务（的ASP.NET Web API）通信。在我的Web服务的使用OWIN中间件。我设置OpenIDConnect作为身份验证机制。当Web服务被称为首次成功地重定向用户到OpenID的连接提供商的登录页面。用户可以登录并得到一个授权code作为一个结果。 AFAIK这code现在可以使用（由我的web服务）的访问令牌。但是，我不知道如何得到这个code回到我的Web服务（用头完成？），然后怎样进行配置，以获得访问令牌。我想我可以手动调用标记点，但我想采取OWIN组件的优势来代替。

UPDATE: A SPA uses AJAX for communicating with my web service (ASP.NET Web API). In my web service a use OWIN Middleware. I set OpenIDConnect as the authentication mechanism. When the web service is called for the first time it successfully redirected the user to the login page of the OpenID Connect Provider. The user could login and got an Authorization Code as a result. AFAIK this code could now be used (by my web service) to the an Access Token. However, I don't know how to get this code back to my web service (is this done using a header?) and then what to configure to get the Access Token. I guess I could call the token endpoint manually but I would like to take advantage of the OWIN component instead.

推荐答案

看起来像推荐的方法是使用授权codeReceived 事件交换验证code代表访问令牌。 <一href=\"http://www.cloudidentity.com/blog/2014/05/11/openid-connect-and-ws-fed-owin-components-design-principles-object-model-and-pipeline/\"相对=nofollow>维托里奥有勾勒出整个流程的博客条目。

Looks like the recommended approach is to use the AuthorizationCodeReceived event to exchange the Auth code for an Access Token. Vittorio has a blog entry that outlines the overall flow.

下面是<一个例子href=\"https://github.com/AzureADSamples/WebApp-WebAPI-MultiTenant-OpenIdConnect-DotNet/blob/master/TodoListWebApp/App_Start/Startup.Auth.cs#L46\"相对=nofollow>在 Startup.Auth.cs code的GitHub的这个示例应用程序进行此设置：

Here's an example from this sample app on GitHub of the Startup.Auth.cs code to set this up:

app.UseOpenIdConnectAuthentication(
    new OpenIdConnectAuthenticationOptions
    {
        ClientId = clientId,
        Authority = Authority,
        Notifications = new OpenIdConnectAuthenticationNotifications()
        {
            AuthorizationCodeReceived = (context) =>
           {
               var code = context.Code;
               ClientCredential credential = new ClientCredential(clientId, appKey);
               string tenantID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
               string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
               AuthenticationContext authContext = new AuthenticationContext(string.Format("https://login.windows.net/{0}", tenantID), new EFADALTokenCache(signedInUserID));
               AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
                           code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceID);

               return Task.FromResult(0);
            },
            ...
    }

注意：的授权codeReceived 事件被调用，只有当真正的授权发生一次。如果AUTH code已经生成并存储，则不会调用此事件。你必须注销或清除Cookies迫使这个事件的发生。

Note: The AuthorizationCodeReceived event is invoked only once when authorization really takes place. If the auth code is already generated and stored, this event is not invoked. You have to logout or clear cookies to force this event to take place.

这篇关于ASP.NET的Web API和OpenID连接：如何从授权code获得访问令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！