DotNetOpenAuth OpenID的流量瓦特/自己的Auth服务器 [英] DotNetOpenAuth OpenID Flow w/ Own Auth Server
问题描述
我有很多很难找到答案的情景我已经使用 DotNetOpenAuth 和特定的流程我必须处理来实现的。
I'm having a lot of difficulty finding answers to a scenario I have to implement using DotNetOpenAuth and a particular flow I have to deal with.
在下面的图形,我在这两个网站的MVC和API控制。这个API是我的两个授权服务器和我的资源服务器。
In the graphic below I am in control of both the MVC site and API. The API is both my Authorisation server and my Resource Server.
用户名和密码流量
这个过程是在用户创建了一个本地帐户,我的系统上为我处理的用户名和密码credetials将其登录网站的情况相当明显,我就可以传递给我的令牌端点和subequently传递给 HandleTokenRequest 我的授权服务器,以获得访问令牌,并刷新令牌我的客户然后开始访问资源。
The process is fairly obvious in a case where the user has created a local account on my system as I'm dealing with user name and password credetials to log them into the site which I can then pass to my Token endpoint and subequently pass to the HandleTokenRequest of my authorisation server in order to get access tokens and refresh tokens for my client to then start accessing resources.
OpenID的流量
这是我在亏损与目前的流动是如果用户决定使用他们的谷歌凭据(例如)登录到我的网站。在这种情况下我怎么给予他们的访问令牌,并在我的API刷新从我自己的授权服务器标记?
The flow that I'm at a loss with currently is if a user decides to log in to my site using their Google credentials (for example). In this scenario how do I grant them access tokens and refresh tokens from my own authorisation server in my API?
我会在请求我的API令牌端点?
What would I include in the request to my API Token endpoint?
我写它从 WebServerClient 类,它是 DotNetOpenAuth 库的一部分继承了我自己的API客户端。
I have written my own API client which inherits from the WebServerClient class that is part of the DotNetOpenAuth library.
我已经看到有 IServiceProviderTokenManager 规定处理令牌称为一个接口,但出现在OpenID提供商的方案而不是像我一样的API客户端实现中使用这样我假设我需要写一个自定义的类在客户端存储和检索我自己的API令牌,但想了证实呢?
I have seen that there is an interface provided for handling tokens called IServiceProviderTokenManager but that appears to be used in OpenID provider scenarios and not in an API client implementation like mine so I'm assuming that I need to write a custom class for storing and retrieving my own API tokens on the client side but would like that confirmed as well?
其值得一提的,无论是网站和API具有相同的安全数据库的完全访问权限,但只有API可以访问到任何资源举行数据库
Its worth mentioning that both the web site and the API have complete access to the same security database but only the API has access to the database where any resources are held.
推荐答案
只是为了完整性我想我会更新我的回答这个问题。
Just for completeness I thought I'd update this question with my answer.
我最终什么事做是在授权和令牌端点移动到我的MVC 4应用程序,而不是让他们API本身之内。
What I ended up doing was moving the Authorize and Token endpoints into my MVC 4 application rather than having them within the API itself.
调用授权端点时,这种方式登录的用户(因而具有一个ASP.NET FormsAuthentication饼干present),可以在请求处理达到这个$ C $获得批准授权code C:
This way when calling the Authorize endpoint with a logged in user (thus having an ASP.NET FormsAuthentication cookie present) it is possible to get an authorisation code granted when the request processing hits this code:
// Consider auto-approving if safe to do so.
if (((OAuth2AuthorizationServer)this.authorizationServer.AuthorizationServerServices).CanBeAutoApproved(pendingRequest))
{
var approval = this.authorizationServer.PrepareApproveAuthorizationRequest(pendingRequest, HttpContext.User.Identity.Name);
return this.authorizationServer.Channel.PrepareResponse(approval).AsActionResult();
}
一旦你有一个授权code,那么你可以使用 WebServerClient 实例并调用调入令牌端点的 RequestUserAuthorization 方法。
Once you have an authorisation code you can then call into the Token endpoint using a WebServerClient instance and calling its RequestUserAuthorization method.
在此回调则可以调用 ProcessUserAuthorization 方法,它会返回一个 IAuthorizationState 的对象与您的访问令牌并刷新令牌。
When this calls back you can then call the ProcessUserAuthorization method which will return an IAuthorizationState object with your access token and refresh token.
这篇关于DotNetOpenAuth OpenID的流量瓦特/自己的Auth服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
