在两个Web API项目之间共享OAuth令牌 [英] Sharing OAuth Tokens Across Two Web API projects

问题描述

我已经创建了具有OAuth令牌身份验证的Web API应用程序.当令牌服务器与服务在同一应用程序上运行时，此方法可以正常工作.但是，我想将授权服务移到其自己的应用程序(VS项目)中，并在我正在处理的多个Web API项目中使用它.但是，当我将授权逻辑隔离到自己的项目中时，原始服务不再将生成的令牌视为有效令牌.我的问题是，一个Web API项目是否可以生成令牌以供另一个项目验证?这是我的auth服务和原始服务的OWIN启动代码

I have created a Web API application with OAuth token authentication. This worked without issue when the token server was running on the same application as the service. However, I'd like to move the authorization service into its own application (VS project) and use it across several Web API projects I am working on. However, when I isolated the authorization logic into it's own project the original service no longer treats the tokens generated as valid. My question is, is it possible for one Web API project to generate a token for another one to validate? Here is my OWIN startup code for both the auth service and the original service

身份验证服务:

public void Configuration(IAppBuilder app)
    {
        // For more information on how to configure your application, visit http://go.microsoft.com/fwlink/?LinkID=316888
        HttpConfiguration config = new HttpConfiguration();

        ConfigureOAuth(app);

        WebApiConfig.Register(config);
        app.UseWebApi(config);
        app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
    }

    private void ConfigureOAuth(IAppBuilder app)
    {
        OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
        {
            AllowInsecureHttp = true,
            TokenEndpointPath = new PathString("/token"),
            AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
            Provider = new SimpleAuthorizationServerProvider()
        };

        // Token Generation
        app.UseOAuthAuthorizationServer(OAuthServerOptions);
        app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
    }

原始服务:

public void Configuration(IAppBuilder app)
    {
        ConfigureOAuth(app);
        // For more information on how to configure your application, visit http://go.microsoft.com/fwlink/?LinkID=316888
        HttpConfiguration config = new HttpConfiguration();

        config.SuppressDefaultHostAuthentication();
        config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));


        WebApiConfig.Register(config);

        app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
        app.UseWebApi(config);
    }

    public void ConfigureOAuth(IAppBuilder app)
    {
        var oauthBearerOptions = new OAuthBearerAuthenticationOptions();
        app.UseOAuthBearerAuthentication(oauthBearerOptions);
    }

推荐答案

在自己研究这个问题时，偶然发现了这个问题.TL; DR的答案是令牌是使用machine.config文件中的machineKey属性生成的:如果要在多台服务器上托管，则需要覆盖它.

Just stumbled across this Q whilst researching this myself. The TL;DR answer is that Tokens are generated using the machineKey properties in the machine.config file: if you want to host on multiple servers you need to override this.

可以在web.config中覆盖MachineKey:

The MachineKey can be overridden in web.config :

<system.web>
<machineKey validationKey="VALUE GOES HERE" 
            decryptionKey="VALUE GOES HERE" 
            validation="SHA1" 
            decryption="AES"/>
</system.web>

机器密钥应在本地生成-使用在线服务不是不安全的.用于生成密钥的知识库文章

Machine Keys should be generated locally - using an online service is not secure. KB Article for generating keys

此处所有原始参考 查看全文