配置授权服务器端点 [英] Configure the authorization server endpoint
问题描述
我们如何使用与ASP.NET 5承载令牌使用用户名和口令流?对于我们的场景中,我们希望让用户注册和登录使用AJAX无需使用外部登录调用。
How do we use a bearer token with ASP.NET 5 using a username and password flow? For our scenario, we want to let a user register and login using AJAX calls without needing to use an external login.
要做到这一点,我们需要有一个授权服务器端点。 在ASP.NET中的previous版本:我们会做以下内容,然后登录在 ourdomain.com/Token URL。
To do this, we need to have an authorization server endpoint. In the previous versions of ASP.NET we would do the following and then login at the ourdomain.com/Token URL.
// Configure the application for OAuth based flow
PublicClientId = "self";
OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),
Provider = new ApplicationOAuthProvider(PublicClientId),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(14)
};
在ASP.NET的当前版本,不过,上述不起作用。我们一直在试图找出新的方法。 <一href=\"https://github.com/aspnet/Identity/blob/dev/samples/IdentitySample.Mvc/Startup.cs#L50-L64\">aspnet/identity例如在GitHub上的,例如,配置Facebook,谷歌和Twitter的认证,但似乎并没有配置非外部OAuth授权服务器端点,除非那是什么<一个href=\"https://github.com/aspnet/Identity/blob/dev/samples/IdentitySample.Mvc/Startup.cs#L48\"><$c$c>AddDefaultTokenProviders()的确,在这种情况下,我们想知道的URL提供者将是什么。
In the current version of ASP.NET, though, the above doesn't work. We've been trying to figure out the new approach. aspnet/identity example on GitHub, for instance, configures Facebook, Google, and Twitter authentication but does not appear to configure a non-external OAuth authorization server endpoint, unless that's what AddDefaultTokenProviders() does, in which case we're wondering what the URL to the provider would be.
我们已经从<有学问href=\"https://github.com/aspnet/Security/blob/79b190288e115d10ecf3f0b3598250a5489a063d/src/Microsoft.AspNet.Authentication.OAuthBearer/OAuthBearerAuthenticationMiddleware.cs#L20-L22\">reading这里的源的,我们可以通过调用 IAppBuilder.UseOAuthBearerAuthentication 我们启动添加承载认证中间件的HTTP管道类。这是一个好的开始,虽然我们仍然不知道如何设置它的令牌端点。这并没有工作:
We've learned from reading the source here that we can add "bearer authentication middleware" to the HTTP pipeline by calling IAppBuilder.UseOAuthBearerAuthentication in our Startup class. This is a good start though we're still not sure of how to set its token endpoint. This didn't work:
public void Configure(IApplicationBuilder app)
{
app.UseOAuthBearerAuthentication(options =>
{
options.MetadataAddress = "meta";
});
// if this isn't here, we just get a 404
app.Run(async context =>
{
await context.Response.WriteAsync("Hello World.");
});
}
在将 ourdomain.com/meta 我们刚刚收到我们的Hello World页面。
On going to ourdomain.com/meta we just receive our hello world page.
进一步的研究表明,我们也可以使用 IAppBuilder.UseOAuthAuthentication 扩展方法,而且它需要一个 OAuthAuthenticationOptions 参数。该参数有一个<一个href=\"https://github.com/aspnet/Security/blob/79b190288e115d10ecf3f0b3598250a5489a063d/src/Microsoft.AspNet.Authentication.OAuth/OAuthAuthenticationOptions.cs#L41-L44\"><$c$c>TokenEndpoint属性。所以,尽管我们不知道我们在做什么,我们想这一点,这当然没有工作。
Further research showed that we can also use the IAppBuilder.UseOAuthAuthentication extension method, and that it takes a OAuthAuthenticationOptions parameter. That parameter has a TokenEndpoint property. So though we're not sure what we're doing, we tried this, which of course didn't work.
public void Configure(IApplicationBuilder app)
{
app.UseOAuthAuthentication("What is this?", options =>
{
options.TokenEndpoint = "/token";
options.AuthorizationEndpoint = "/oauth";
options.ClientId = "What is this?";
options.ClientSecret = "What is this?";
options.SignInScheme = "What is this?";
options.AutomaticAuthentication = true;
});
// if this isn't here, we just get a 404
app.Run(async context =>
{
await context.Response.WriteAsync("Hello World.");
});
}
在换句话说,要 ourdomain.com/token ,没有任何的错误只是我们再次的Hello World页面。
In other words, in going to ourdomain.com/token, there is no error there is just again our hello world page.
推荐答案
好吧,让我们回顾一下不同的OAuth2中间件(及其各自 IAppBuilder 扩展)由被提供的< STRONG> OWIN /武士刀3 ASP.NET STRONG>和那些5
Okay, let's recap the different OAuth2 middleware (and their respective IAppBuilder extensions) that were offered by OWIN/Katana 3 and the ones that will be ported to ASP.NET 5:
-
app.UseOAuthBearerAuthentication/OAuthBearerAuthenticationMiddleware:它的名字并不十分明显,但它是(现在仍然是,因为它已经被移植到ASP.NET 5)负责验证了的OAuth2服务器中间件发出的访问令牌。它基本上是的标记对应的饼干中间件,用于保护您的API。 在ASP.NET 5,已经丰富了可选的OpenID Connect功能(这是现在能够自动从颁发令牌的OpenID Connect服务器签名证书)。
app.UseOAuthBearerAuthentication/OAuthBearerAuthenticationMiddleware: its name was not terribly obvious, but it was (and still is, as it has been ported to ASP.NET 5) responsible of validating access tokens issued by the OAuth2 server middleware. It's basically the token counterpart of the cookies middleware and is used to protect your APIs. In ASP.NET 5, it has been enriched with optional OpenID Connect features (it is now able to automatically retrieve the signing certificate from the OpenID Connect server that issued the tokens).
注意:开始用ASP.NET 5 beta8,现在是named<$c$c>app.UseJwtBearerAuthentication/<$c$c>JwtBearerAuthenticationMiddleware.
Note: starting with ASP.NET 5 beta8, it is now namedapp.UseJwtBearerAuthentication/JwtBearerAuthenticationMiddleware.
-
app.UseOAuthAuthorizationServer/OAuthAuthorizationServerMiddleware:顾名思义,OAuthAuthorizationServerMiddleware是一个的OAuth2授权服务器中间件和用于创建和发布的访问令牌。 这个中间件将不会被移植到ASP.NET 5 :<一href=\"http://stackoverflow.com/questions/29055477/oauth-authorization-service-in-asp-net-mvc-6/\">OAuth授权服务在ASP.Net MVC 6 。
app.UseOAuthAuthorizationServer/OAuthAuthorizationServerMiddleware: as the name suggests,OAuthAuthorizationServerMiddlewarewas an OAuth2 authorization server middleware and was used to create and issue access tokens. This middleware won't be ported to ASP.NET 5: OAuth Authorization Service in ASP.Net MVC 6.
app.UseOAuthBearerTokens :这个扩展并没有真正对应一个中间件和只是周围的包装 app.UseOAuthAuthorizationServer 和 app.UseOAuthBearerAuthentication 。这是ASP.NET身份包的一部分,只是同时配置的OAuth2授权服务器和使用一个单一的呼叫来验证访问令牌的承载的OAuth2中间件的便捷方式。 它不会被移植到ASP.NET 5
app.UseOAuthBearerTokens: this extension didn't really correspond to a middleware and was simply a wrapper around app.UseOAuthAuthorizationServer and app.UseOAuthBearerAuthentication. It was part of the ASP.NET Identity package and was just a convenient way to configure both the OAuth2 authorization server and the OAuth2 bearer middleware used to validate access tokens in a single call. It won't be ported to ASP.NET 5.
ASP.NET 5将提供一个全新的中间件(我很自豪地说我设计的):
ASP.NET 5 will offer a whole new middleware (and I'm proud to say I designed it):
-
app.UseOAuthAuthentication/OAuthAuthenticationMiddleware:这个新的中间件是一个通用的OAuth2交互式客户端,其行为完全像app.UseFacebookAuthentication或app.UseGoogleAuthentication但是,几乎支持任何标准的OAuth2提供者,包括你的。谷歌,Facebook和微软供应商已全部更新,以从这个新基地的中间件继承。
app.UseOAuthAuthentication/OAuthAuthenticationMiddleware: this new middleware is a generic OAuth2 interactive client that behaves exactly likeapp.UseFacebookAuthenticationorapp.UseGoogleAuthenticationbut that supports virtually any standard OAuth2 provider, including yours. Google, Facebook and Microsoft providers have all been updated to inherit from this new base middleware.
所以,你实际上是在寻找中间件是在的OAuth2授权服务器中间件,又名 OAuthAuthorizationServerMiddleware 。
So, the middleware you're actually looking for is the OAuth2 authorization server middleware, aka OAuthAuthorizationServerMiddleware.
虽然它被认为是由社区的很大一部分的重要组成部分,它不会被移植到ASP.NET 5
幸运的是,已经是一个直接替换为 AspNet.Security.OpenIdConnect.Server (适用的 https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server )
Luckily, there's already a direct replacement: AspNet.Security.OpenIdConnect.Server (https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server)
这是中间件附带的武士刀3 但是目标的OAuth2授权服务器中间件的先进叉 OpenID的连接(它本身基于的OAuth2)。它使用提供了细粒度的控制(通过各种通知),并允许您使用自己的框架(南希,MVC 6),以满足您的授权页面,如你可以用的OAuth2服务器中间件相同的低层次的方法。配置很容易:
This middleware is an advanced fork of the OAuth2 authorization server middleware that comes with Katana 3 but that targets OpenID Connect (which is itself based on OAuth2). It uses the same low-level approach that offers a fine-grained control (via various notifications) and allows you to use your own framework (Nancy, MVC 6) to serve your authorization pages like you could with the OAuth2 server middleware. Configuring it is easy:
// Add a new middleware validating access tokens issued by the server.
app.UseOAuthBearerAuthentication(options => {
options.AutomaticAuthenticate = true;
options.Audience = "http://localhost:54540/";
options.Authority = "http://localhost:54540/";
});
// Add a new middleware issuing tokens.
app.UseOpenIdConnectServer(options => {
// Create your own `OpenIdConnectServerProvider` and override
// `GrantResourceOwnerCredentials` to support the resource owner
// password flow exactly like you did with the OAuth2 middleware.
options.Provider = new AuthorizationProvider();
});
有是一个 OWIN /武士刀3 版本,以及 ASP.NET 5 版本,同时支持 dnx451 的(好老CLR)和的 dnxcore50 的(核心CLR)。不要犹豫,浏览默认的样品(的https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/dev/samples/Mvc)要了解它是如何工作的,它没有实现资源的所有者密码流,但它是比较容易的补充。您可以删除MVC控制器,并设置 OpenIdConnectServerOptions.AuthorizationEndpoint 到 PathString.Empty 如果你不希望支持授权code或隐含的流量。
There's an OWIN/Katana 3 version, and an ASP.NET 5 version that supports both dnx451 (the good old CLR) and dnxcore50 (Core CLR). Don't hesitate to browse the default sample (https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/dev/samples/Mvc) to understand how it works. It doesn't implement the resource owner password flow, but it's rather easy to add. You can remove the MVC controllers and set OpenIdConnectServerOptions.AuthorizationEndpoint to PathString.Empty if you don't want to support the authorization code or the implicit flow.
随意ping通我,如果你仍然需要帮助。
祝你好运!
Feel free to ping me if you still need help. Good luck!
这篇关于配置授权服务器端点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
