如何使用OWIN OAuthBearerAuthentication对访问令牌进行身份验证? [英] How to authenticate an access token using OWIN OAuthBearerAuthentication?
问题描述
我想要的是:
- 令牌生成器使用OAuthAuthorizationServer,令牌使用者使用OAuthBearerAuthentication(对访问令牌进行身份验证).
- 使用OWIN管道管理所有内容,令牌内容和Web API内容.
代码如何:
public void Configuration(IAppBuilder app)
{
app.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions
{
AuthorizeEndpointPath = "/Authorize",
AllowInsecureHttp = true,
Provider = new OAuthAuthorizationServerProvider
{
OnGrantCustomExtension = GrantCustomExtension,
OnValidateClientRedirectUri = ValidateClientRedirectUri,
OnValidateClientAuthentication = ValidateClientAuthentication,
}
});
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
{
Provider = new OAuthBearerAuthenticationProvider
{
//Handles applying the authentication challenge to the response message.
ApplyChallenge=MyApplyChallenge,
//Handles processing OAuth bearer token.
RequestToken=MyRequestToken,
//Handles validating the identity produced from an OAuth bearer token.
ValidateIdentity = MyValidateIdentity,
}
});
app.UseWebApi(new WebApplication3.Config.MyWebApiConfiguration());
}
有什么问题:
-
OAuthBearerAuthenticationProvider的3个属性,ApplyChallenge,RequestToken和ValidateIdentity.如何 实施3种方法?
The 3 properties of
OAuthBearerAuthenticationProvider,ApplyChallenge,RequestTokenandValidateIdentity. How to implement the 3 method?
在令牌认证过程中,我认为是解密访问令牌,从客户端验证令牌,如果令牌已验证,则将令牌的身份放入HttpContext.Current.User.
In the token authetication process, What I thought is to decrypt the access token, validate the token from the client, and if the token is validated, put the identities of the token to the HttpContext.Current.User.
OAuthBearerAuthenticationProvider的责任是履行
先前的步骤.我说的对吗?
The OAuthBearerAuthenticationProvider's responsibility is to fulfill the
previous steps. Am I right?
推荐答案
如您所知,UseOAuthAuthorizationServer负责对用户进行身份验证.然后,UseOAuthBearerAuthentication的工作是确保只有经过身份验证的用户才能访问您的应用程序.通常,这两个作业分配给不同的Web应用程序.看来您的应用程序同时在做.
As you know, UseOAuthAuthorizationServer has the job of authenticating the user. Then, UseOAuthBearerAuthentication has the job of ensuring that only authenticated users can access your application. Often, these two jobs are assigned to different web application. It looks like your application is doing both.
在某些情况下,您肯定需要覆盖默认的OAuthBearerAuthenticationProvider.也许您会这样做,或者您可能不会,就我而言,ApplicationCookie不太适合这种情况.因此,我将第三方JWT令牌存储在Cookie中,而不是在标头中,并使用它来指示用户已通过Web应用程序的身份验证.我还需要重定向到我自己的登录页面,而不是提供401.
There are certainly some cases were you need to override the default OAuthBearerAuthenticationProvider. Maybe you do, or maybe you don't In my case, ApplicationCookie didn't quite fit the scenario. So, I'm storing a 3rd party JWT token in a cookie, rather than the header, and using it to indicate that the user is authenticated to a web application. I also needed to redirect to my own login page, rather than provide a 401.
这是同时执行以下操作的实现:
Here's an implementation that does both:
public class CustomOAuthBearerProvider : IOAuthBearerAuthenticationProvider
{
public Task ApplyChallenge(OAuthChallengeContext context)
{
context.Response.Redirect("/Account/Login");
return Task.FromResult<object>(null);
}
public Task RequestToken(OAuthRequestTokenContext context)
{
string token = context.Request.Cookies[SessionKey];
if (!string.IsNullOrEmpty(token))
{
context.Token = token;
}
return Task.FromResult<object>(null);
}
public Task ValidateIdentity(OAuthValidateIdentityContext context)
{
return Task.FromResult<object>(null);
}
}
我不需要在ValidateIdentity中做任何特殊的事情,但是我需要满足界面要求.
I didn't need to do anything special in ValidateIdentity, but I needed to satisfy the interface.
要进行连接,请告诉您的应用程序通过提供程序使用JwtBearerAuthentication:
To wire this up, tell your app to use JwtBearerAuthentication with your provider:
// controllers with an [Authorize] attribute will be validated with JWT
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AllowedAudiences = audiences.ToArray(),
IssuerSecurityTokenProviders = providers.ToArray(),
Provider = new CookieOAuthBearerProvider()
}
);
这篇关于如何使用OWIN OAuthBearerAuthentication对访问令牌进行身份验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
