如何实现身份2.1 + OWIN OAuth的智威汤逊承载令牌时对来自Web API控制器端点验证 [英] How to authenticate from Web API controller endpoint when implementing Identity 2.1 + OWIN OAuth JWT bearer token
问题描述
我无法从我的控制器方法中进行验证,因为我的确认,用户注册流程的一部分,我在找一些指导,我的实现是正确的。
I'm unable to authenticate from within my controller method, as part of my confirm-user-signup workflow and I'm looking for some guidance that my implementation is correct.
我的控制方法有以下code;我已经确认用户填充(如 FindById
调用的一部分),但签到
之后; this.Authentication.User.Identity
没有设置(名称
是空白, IsAuthenticated
为假):
My controller method has the following code; I've confirmed that the user is populated (as part of the FindById
call) but afterSignIn
; this.Authentication.User.Identity
is not set (Name
is blank and IsAuthenticated
is false):
this.Authentication.SignOut("JWT");
ApplicationUser user = await this.AppUserManager.FindByIdAsync(userId);
ClaimsIdentity oAuthIdentity = await user.GenerateUserIdentityAsync(this.AppUserManager, "JWT");
this.Authentication.SignIn(new AuthenticationProperties() { IsPersistent = true }, oAuthIdentity);
时自动登入这个正确的方式使用OAuth的OWIN时?
Is this correct way to automate signin when using OWIN OAuth?
完整的控制器方法,可以在这里看到:
https://gist.github.com/chrismoutray/8a8e5f6a7b433571613b
The full controller method can be see here: https://gist.github.com/chrismoutray/8a8e5f6a7b433571613b
有关参考,我一直在关注,从一个叫博客一组文章的科技的的位已经让我用智威汤逊承载令牌设置OWIN OAuth的。
For reference, I've been following a set of articles from a blog called Bit of Tech which has allowed me to set OWIN OAuth using JWT bearer token.
在大约智威汤逊(5)特别讲座第3部分:<一href=\"http://bitoftech.net/2015/02/16/implement-oauth-json-web-tokens-authentication-in-asp-net-web-api-and-identity-2/\" rel=\"nofollow\">http://bitoftech.net/2015/02/16/implement-oauth-json-web-tokens-authentication-in-asp-net-web-api-and-identity-2/
Part 3 in particular talks about JWT (of 5) : http://bitoftech.net/2015/02/16/implement-oauth-json-web-tokens-authentication-in-asp-net-web-api-and-identity-2/
这是我创建从 OAuthAuthorizationServerProvider
继承并实现了 GrantResourceOwnerCredentials
,当定制的OAuth提供的文章我的客户code(AngularJS)尝试使用端点 /的OAuth /令牌
,我可以看到,它给出正确的响应和安全的端点(使用是否授权属性进行身份验证)然后可以访问。
From the articles I've created custom OAuth provider that inherits from OAuthAuthorizationServerProvider
and implements the GrantResourceOwnerCredentials
, and when my client code (AngularJS) tries to authenticate using the endpoint /oauth/token
, I can see that it gives the correct response and the secured endpoints (using Authorise attribute) can then be accessed.
所以,通过中间件认证的工作,但什么是控制器内的方法来验证正确的方法是什么?
So authentication via the middleware does work but what is the correct way to authenticate from inside a controller method?
推荐答案
有关它的价值我想我会分享解决方案,我想出了。
For what it's worth I thought I’d share the solution I’ve come up with.
简短的回答;我创建了一个临时的一次性密码(令牌)将被用于认证用户首次
The short answer; I create a temporary one time password (token) which will be used to authenticate users for the first time
要点这里以供参考:
https://gist.github.com/chrismoutray/159e6fd74f45d88efd12
要总结 - 在的AccountController ConfirmSignUp
方法;我使用用户管理器来生成自定义的令牌我已经叫 GRANT权限:
,然后重定向到我的确认-注册
与URI中的用户名和令牌页面。
我的角应用解决了UI的路线确认-注册
并进行登录,传递令牌作为密码。
To Summaries – In the AccountController ConfirmSignUp
method; I use the user-manager to generate a custom token which I’ve called GRANT-ACCESS
, then redirect to my confirm-signup
page with the username and token in the uri.
My angular app resolves the ui-route to confirm-signup
and performs a login, passing the token as the password.
var tokenResult = this.AppUserManager.GenerateUserTokenAsync("GRANT-ACCESS", userId);
string token = tokenResult.Result;
Uri redirectLocation = new Uri(
string.Format("http://localhost:45258/#/confirm-signup?user={0}&token={1}",
Uri.EscapeDataString(user.UserName), Uri.EscapeDataString(token)));
return Redirect(redirectLocation);
最后有一项修正案, GrantResourceOwnerCredentials
,因此,如果 FindAsync
(通过用户名和密码)没有按' ŧ回报用户,然后我再试一次,但这次治疗 context.Password
为 GRANT权限:
用户令牌校验。如果令牌是有效的,然后我返回JWT身份验证票证,如果用户曾与一个有效的密码登录。
Finally there is an amendment to GrantResourceOwnerCredentials
, so that if the FindAsync
(by username and password) doesn’t return the user then I try again but this time treating the context.Password
as the GRANT-ACCESS
user token to verify. If the token is valid then I return the JWT authentication ticket as if the user had logged in with a valid password.
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
... code obmitted
ApplicationUser user = await userManager.FindAsync(context.UserName, context.Password);
if (user == null)
{
user = await userManager.FindByNameAsync(context.UserName);
... null checks obmitted
string token = context.Password;
bool result = await userManager.VerifyUserTokenAsync(user.Id, "GRANT-ACCESS", token);
}
ClaimsIdentity oAuthIdentity = await user.GenerateUserIdentityAsync(userManager, "JWT");
var ticket = new AuthenticationTicket(oAuthIdentity, null);
context.Validated(ticket);
}
这篇关于如何实现身份2.1 + OWIN OAuth的智威汤逊承载令牌时对来自Web API控制器端点验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!