使用IdentityServer和Autofac保护Webapi-无法获得声明 [英] Protecting webapi with IdentityServer and Autofac - can't get claims

问题描述

我正在尝试使用Autofac通过IdentityServer和OpenID Connect保护我的webapi.我正在使用OWIN.但是由于某种原因，我无法获得用户的要求.似乎根本没有触发AccessTokenValidation.这使我认为启动时声明的顺序出了问题.这是我的创业公司.

I'm trying to protect my webapi with IdentityServer and OpenID Connect using Autofac. I'm using OWIN. But for some reason I can't get claims of the user. It seems that AccessTokenValidation is not triggered at all. That makes me think there is something wrong in the order of my declarations at my startup. Here is my startup.

public class Startup {

    public void Configuration(IAppBuilder appBuilder) {

        // Add authentication
        this.AddAuthentication(appBuilder);

        HttpConfiguration config = new HttpConfiguration();
        var container = CreateAutofacContainer();

        var resolver = new AutofacWebApiDependencyResolver(container);
        config.DependencyResolver = resolver;  
        WebApiConfig.Register(config);
        config.EnsureInitialized();

        // Register config - you can't add anything to pipeline after this
        appBuilder.UseAutofacMiddleware(container);
        appBuilder.UseAutofacWebApi(config);
        appBuilder.UseWebApi(config);       
    }

    private static IContainer CreateAutofacContainer() {

        var autofacBuilder = new ContainerBuilder();

        var assembly = Assembly.GetExecutingAssembly();

        // Register your Web API controllers.
        autofacBuilder.RegisterApiControllers(assembly);

        // For general logging implementation
        autofacBuilder.RegisterType<ConsoleLogger>().As<ILogger>();

        // Create empty usage context to be filled in OWIN pipeline
        IUsageContext usageContext = new RuntimeUsageContext();
        autofacBuilder.RegisterInstance(usageContext).As<IUsageContext>().SingleInstance();

        // We need to get usage context builded
        autofacBuilder.RegisterType<OIDCUsageContextProvider>().InstancePerRequest();

        var container = autofacBuilder.Build();
        return container;
    }

    private void AddAuthentication(IAppBuilder app) {

        var options = new IdentityServerBearerTokenAuthenticationOptions();

        options.Authority = "MYAUTHORITY";
        options.RequiredScopes = new[] { "openid", "profile", "email", "api" };
        options.ValidationMode = ValidationMode.ValidationEndpoint;
        app.UseIdentityServerBearerTokenAuthentication(options);

        // Add local claims if needed
        app.UseClaimsTransformation(incoming => {

            // either add claims to incoming, or create new principal
            var appPrincipal = new ClaimsPrincipal(incoming);
            // incoming.Identities.First().AddClaim(new Claim("appSpecific", "some_value"));

            return Task.FromResult(appPrincipal);
        });
    }

我正在使用混合流，并且从SPA应用程序中调用了api.我已经验证(通过直接调用我的身份服务器的终结点)访问令牌有效，并且有可用的声明.我还下载了IdentityServer.AccessTokenValidation项目，并将其附加为参考.当我为该项目中的方法设置一些断点时，它们永远不会被调用.这就是为什么我认为我的启动和OWIN管道出问题了.

I'm using hybrid flow and api is called from SPA-application. I've verified (by calling my identity server's endpoint directly) that access token is valid and there are claims available. I also downloaded IdentityServer.AccessTokenValidation project and attached it as a reference. When I set some breakpoints to methods in that project, they never get called. That is why I think there is something wrong with my startup and OWIN pipeline.

我已经在启动时声明了UsageContext.我正在使用该类来收集声明和一些配置设置-注入到实际的控制器中.我认为这将是处理此问题的好方法，因此在控制器中始终有有效的UsageContext.

I've declared UsageContext in my startup. It is a class I'm using to collect claims and some configuration settings - to be injected to actual controllers. I think it would be nice way to handle this, so in controllers there is always valid UsageContext available.

我已经阅读了许多示例和示例，但仍然没有发现完全相同的情况.我将为您指明正确方向的任何尝试表示感谢.

I've read a lot of samples and examples but still haven't found exactly same situation. I'll appreciate any attempts to point me into right direction.

关于， 鲍尔

推荐答案

原来，AccessTokenValidation中有一些神秘的行-库不起作用.我使用该库获取索偿.更改生产线后，一切似乎正常.

It turned out that there was some mysterious line in AccessTokenValidation - library that didn't work. I use that library to get claims. After changing the line everything seemed to work.

所以基本上我的问题现在已经关闭，并且一切正常.但是我仍然不完全相信这是正确的方法.

So basically my question is closed now and stuff works. But I'm still not totally convinced this is the right way to do this.

感谢约翰的评论！

这篇关于使用IdentityServer和Autofac保护Webapi-无法获得声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！