OWIN Oauth区分过期令牌和无效令牌 [英] OWIN Oauth differentiate expired and invalid token

问题描述

我在ASP.NET MVC应用程序中使用OWIN Oauth为移动应用程序提供访问令牌.这是OAuth的设置:

I use OWIN Oauth in my ASP.NET MVC application to provide access token for mobile applications. Here's the setup of OAuth:

        app.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions
        {
            TokenEndpointPath = new PathString("/api/authenticate/login"),
            Provider = dependencyContainer.GetService<IOAuthAuthorizationServerProvider>(),
            RefreshTokenProvider = dependencyContainer.GetService<IAuthenticationTokenProvider>(),
            AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(applicationSettings.AccessTokenLifeTimeInMinutes),
            AllowInsecureHttp = true
        });

        app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());

我也有自定义提供程序和自定义刷新令牌提供程序，如您在上面看到的.一切工作正常，当来自移动设备的请求过期或无效时，我使用自定义的 AuthorizeAttribute 返回带有消息未经授权"的json

I also have custom provider and custom refresh token provider as you can see above. Everything is working fine, when a request from mobile is expired or invalid, I use a custom AuthorizeAttribute to return a json with message "unauthorized"

public class ApiAuthorizeAttribute : AuthorizeAttribute
{
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        filterContext.Result = new JsonResult
        {
            Data = new
            {
                success = false,
                error = "Unauthorized"
            },
            JsonRequestBehavior = JsonRequestBehavior.AllowGet
        };
    }
}

但是，在一种情况下，移动应用需要区分以下两种情况下的服务器响应:访问令牌过期或访问令牌无效(例如，在中间进行修改).我不确定如何实现该要求.我尝试创建一个继承自 AuthenticationTokenProvider 的自定义访问令牌提供程序，并在上面的 UseOAuthAuthorizationServer()中进行注册，但是在服务器端未同时调用Receive()和ReceiveAsync()接收来自移动设备的访问令牌

However in one scenario, the mobile applications need to differentiate the response from server for 2 cases: access token is expired, or access token is invalid (.e.g. modified in the middle). I'm not sure how I can implement that requirement. I tried to create a custom access token provider, inheriting from AuthenticationTokenProvider, register it in UseOAuthAuthorizationServer() above, but both Receive() and ReceiveAsync() are not called when server receives access token from mobile

推荐答案

解决了该问题.我创建自定义访问令牌提供程序的方法有效.最初，我是在 UseOAuthAuthorizationServer ()中注册的，但应该使用 UseOAuthBearerAuthentication ()

Solved the issue. My approach of creating custom access token provider works. Initially I registered it with UseOAuthAuthorizationServer(), but it should be registered using UseOAuthBearerAuthentication() instead

如果有人需要，这是我的自定义课程:

Here's my custom class, in case anyone needs:

public class CustomAccessTokenProvider : AuthenticationTokenProvider
{
    public override void Receive(AuthenticationTokenReceiveContext context)
    {
        context.DeserializeTicket(context.Token);
        var expired = context.Ticket.Properties.ExpiresUtc < DateTime.UtcNow;
        if (expired)
        {
            //If current token is expired, set a custom response header
            context.Response.Headers.Add("X-AccessTokenExpired", new string[] { "1" });
        }

        base.Receive(context);
    }
}

在设置OWIN OAuth时进行注册:

Register it when setting up OWIN OAuth:

app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
            {
                AccessTokenProvider = new CustomAccessTokenProvider()
            });

这篇关于OWIN Oauth区分过期令牌和无效令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！