OWIN 更改声明而无需注销用户或重新颁发令牌 [英] OWIN change claims without logging user out or re-issuing token
问题描述
我当前的实现使用使用端点的标准功能使用 OWIN 令牌实现:
My current implementation uses OWIN token implementation using the standard functionality using endpoints:
e.g /token endpoint and with the below method
and then using:
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
authentication code + claim assignment
context.Validated(ticket);
}
我正在尝试冒充用户.理想情况下,我希望能够在 GrantResourceOwnerCredentials 中调用/重新运行我的代码,但这似乎只能与/token 端点一起运行.或者找到一种方法来重新生成令牌声明并在我自己的端点中手动将它们发送给用户,例如/tokenimpersonate 方法?
I am trying to impersonate a user. Ideally i would like to be able to recall / re-run my code in the GrantResourceOwnerCredentials but this only seems to be run with /token endpoint. Or find a way to regenerate the token claims and send those to the user manually in my own endpoint e.g /tokenimpersonate method?
我不使用 cookie,这是一个纯粹的令牌实现.
I do not use cookies this is a pure token implementation.
另一种选择是我可以调整现有用户的声明,但我的理解是我需要将它们注销并登录,在这种情况下,我如何将新令牌传递给前端?
The other alternative is that i could adjust the claims on an existing user but my understanding i need to log them out and log them in, in this case how do i pass a new token to the front-end?
推荐答案
这是我最终用来完成这项工作的代码:
This is the code i eventually used to make this work:
Authentication.SignOut(authTypeNames.ToArray());
var oAuthIdentity = new ClaimsIdentity(OAuthDefaults.AuthenticationType);
oAuthIdentity.AddClaim(new Claim(ClaimTypes.Name, dbUser.Username));
oAuthIdentity.AddClaim(new Claim(ClaimTypes.NameIdentifier, dbUser.User_ID.ToString()));
oAuthIdentity.AddClaim(new Claim(ClaimTypes.Role, dbUser.UserRole));
oAuthIdentity.AddClaim(new Claim(ClaimTypes.Role, dbUser.User_ID.ToString()));
//ads only certain docadmin ids to the role.
if (dbUser.UserRole == Medapp.BusinessFacade.Constants.ROLE_SECRETARY)
{
// /doc/home
//add guids of all the doctors as roles
var roles = db.OfficeAdministrators.Where(p => p.Admin_ID == dbUser.User_ID);
foreach (var role in roles)
{
oAuthIdentity.AddClaim(new Claim(ClaimTypes.Role, role.Doctor_ID.ToString()));
}
}
List<Claim> jroles = oAuthIdentity.Claims.Where(c => c.Type == ClaimTypes.Role).ToList();
AuthenticationProperties properties = CreateProperties(dbUser.User_ID.ToString(), dbUser.UserRole, dbUser.Username, Newtonsoft.Json.JsonConvert.SerializeObject(jroles.Select(x => x.Value))); //user.UserName);
properties.IsPersistent = true;
properties.ExpiresUtc = new System.DateTimeOffset(new DateTime().AddDays(365), new System.TimeSpan());
var ticket = new AuthenticationTicket(oAuthIdentity, properties);
DateTime currentUtc = DateTime.UtcNow;
ticket.Properties.IssuedUtc = currentUtc;
ticket.Properties.ExpiresUtc = currentUtc.Add(TimeSpan.FromDays(365));
string accessToken = Startup.OAuthOptions.AccessTokenFormat.Protect(ticket);
JObject token = new JObject(
new JProperty("username", dbUser.Username),
new JProperty("token", accessToken),
new JProperty("uid", dbUser.User_ID.ToString()),
new JProperty("type", dbUser.UserRole),
new JProperty("roles", Newtonsoft.Json.JsonConvert.SerializeObject(jroles.Select(x => x.Value))),
new JProperty("access_token", accessToken),
new JProperty("token_type", "bearer"),
new JProperty("expires_in", TimeSpan.FromDays(365).TotalSeconds.ToString()),
new JProperty("issued", currentUtc.ToString("ddd, dd MMM yyyy HH':'mm':'ss 'GMT'")),
new JProperty("expires", currentUtc.Add(TimeSpan.FromDays(365)).ToString("ddd, dd MMM yyyy HH:mm:ss 'GMT'"))
);
return Ok(token);
这篇关于OWIN 更改声明而无需注销用户或重新颁发令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
