如何实现身份2.1 + OWIN OAuth的智威汤逊承载令牌时对来自Web API控制器端点验证 [英] How to authenticate from Web API controller endpoint when implementing Identity 2.1 + OWIN OAuth JWT bearer token

问题描述

我无法从我的控制器方法中进行验证，因为我的确认，用户注册流程的一部分，我在找一些指导，我的实现是正确的。

I'm unable to authenticate from within my controller method, as part of my confirm-user-signup workflow and I'm looking for some guidance that my implementation is correct.

我的控制方法有以下code;我已经确认用户填充（如 FindById 调用的一部分），但签到之后; this.Authentication.User.Identity 没有设置（名称是空白， IsAuthenticated 为假）：

My controller method has the following code; I've confirmed that the user is populated (as part of the FindById call) but afterSignIn; this.Authentication.User.Identity is not set (Name is blank and IsAuthenticated is false):

this.Authentication.SignOut("JWT");

ApplicationUser user = await this.AppUserManager.FindByIdAsync(userId);

ClaimsIdentity oAuthIdentity = await user.GenerateUserIdentityAsync(this.AppUserManager, "JWT");

this.Authentication.SignIn(new AuthenticationProperties() { IsPersistent = true }, oAuthIdentity);

时自动登入这个正确的方式使用OAuth的OWIN时？

Is this correct way to automate signin when using OWIN OAuth?

完整的控制器方法，可以在这里看到：
https://gist.github.com/chrismoutray/8a8e5f6a7b433571613b

The full controller method can be see here: https://gist.github.com/chrismoutray/8a8e5f6a7b433571613b

有关参考，我一直在关注，从一个叫博客一组文章的科技的的位已经让我用智威汤逊承载令牌设置OWIN OAuth的。

For reference, I've been following a set of articles from a blog called Bit of Tech which has allowed me to set OWIN OAuth using JWT bearer token.

在大约智威汤逊（5）特别讲座第3部分：<一href=\"http://bitoftech.net/2015/02/16/implement-oauth-json-web-tokens-authentication-in-asp-net-web-api-and-identity-2/\" rel=\"nofollow\">http://bitoftech.net/2015/02/16/implement-oauth-json-web-tokens-authentication-in-asp-net-web-api-and-identity-2/

Part 3 in particular talks about JWT (of 5) : http://bitoftech.net/2015/02/16/implement-oauth-json-web-tokens-authentication-in-asp-net-web-api-and-identity-2/

这是我创建从 OAuthAuthorizationServerProvider 继承并实现了 GrantResourceOwnerCredentials ，当定制的OAuth提供的文章我的客户code（AngularJS）尝试使用端点 /的OAuth /令牌，我可以看到，它给出正确的响应和安全的端点（使用是否授权属性进行身份验证）然后可以访问。

From the articles I've created custom OAuth provider that inherits from OAuthAuthorizationServerProvider and implements the GrantResourceOwnerCredentials, and when my client code (AngularJS) tries to authenticate using the endpoint /oauth/token, I can see that it gives the correct response and the secured endpoints (using Authorise attribute) can then be accessed.

所以，通过中间件认证的工作，但什么是控制器内的方法来验证正确的方法是什么？

So authentication via the middleware does work but what is the correct way to authenticate from inside a controller method?

推荐答案

有关它的价值我想我会分享解决方案，我想出了。

For what it's worth I thought I’d share the solution I’ve come up with.

简短的回答;我创建了一个临时的一次性密码（令牌）将被用于认证用户首次

The short answer; I create a temporary one time password (token) which will be used to authenticate users for the first time

要点这里以供参考：
https://gist.github.com/chrismoutray/159e6fd74f45d88efd12

要总结 - 在的AccountController ConfirmSignUp 方法;我使用用户管理器来生成自定义的令牌我已经叫 GRANT权限：，然后重定向到我的确认-注册与URI中的用户名和令牌页面。
我的角应用解决了UI的路线确认-注册并进行登录，传递令牌作为密码。

To Summaries – In the AccountController ConfirmSignUp method; I use the user-manager to generate a custom token which I’ve called GRANT-ACCESS, then redirect to my confirm-signup page with the username and token in the uri. My angular app resolves the ui-route to confirm-signup and performs a login, passing the token as the password.

var tokenResult = this.AppUserManager.GenerateUserTokenAsync("GRANT-ACCESS", userId);
string token = tokenResult.Result;

Uri redirectLocation = new Uri(
    string.Format("http://localhost:45258/#/confirm-signup?user={0}&token={1}", 
    Uri.EscapeDataString(user.UserName), Uri.EscapeDataString(token)));

return Redirect(redirectLocation);

最后有一项修正案， GrantResourceOwnerCredentials ，因此，如果 FindAsync （通过用户名和密码）没有按' ŧ回报用户，然后我再试一次，但这次治疗 context.Password 为 GRANT权限：用户令牌校验。如果令牌是有效的，然后我返回JWT身份验证票证，如果用户曾与一个有效的密码登录。

Finally there is an amendment to GrantResourceOwnerCredentials, so that if the FindAsync (by username and password) doesn’t return the user then I try again but this time treating the context.Password as the GRANT-ACCESS user token to verify. If the token is valid then I return the JWT authentication ticket as if the user had logged in with a valid password.

public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
    ... code obmitted

    ApplicationUser user = await userManager.FindAsync(context.UserName, context.Password);

    if (user == null)
    {
        user = await userManager.FindByNameAsync(context.UserName);

        ... null checks obmitted

        string token = context.Password;
        bool result = await userManager.VerifyUserTokenAsync(user.Id, "GRANT-ACCESS", token);
    }

    ClaimsIdentity oAuthIdentity = await user.GenerateUserIdentityAsync(userManager, "JWT");

    var ticket = new AuthenticationTicket(oAuthIdentity, null);

    context.Validated(ticket);
}

这篇关于如何实现身份2.1 + OWIN OAuth的智威汤逊承载令牌时对来自Web API控制器端点验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！