OWIN多应用承载令牌认证 [英] OWIN multi-app bearer token authentication

查看:453
本文介绍了OWIN多应用承载令牌认证的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我要进行修改,为ASP.NET在VS 2013默认的单页的应用程序模板,它目前使用的承载令牌认证。该示例使用app.UseOAuthBearerTokens同时创建令牌服务器,并验证令牌在同一个应用程序的请求中间件。

I want to make a modification to the default single page application template for ASP.NET in VS 2013, which currently uses bearer token authentication. The sample uses app.UseOAuthBearerTokens to create both the token server and the middleware to validate tokens for requests in the same app.

我想要做的就是离开这个到位,但第二个应用程序(在IIS势必加入到同一个域,不同的路径 - 例如/认证/ *为验证服务器和/ APP1 / *为应用程序)。对于第二个应用程序,我希望它能够接受由认证服务器中的第一个应用程序发出的令牌。这怎么可能实现呢?我曾尝试在Startup.Auth.cs刚准备关在UseOAuthBearerTokens的code以下,但我得到401的响应与[授权]属性的任何请求:

What I'd like to do is leave that in place, but add a second application (bound in IIS to the same domain, different path - e.g. /auth/* for the authentication server, and /app1/* for the app). For the second app, I want it to accept tokens issued by the authentication server in the first app. How could this be accomplished? I have tried the following in Startup.Auth.cs just going off of the code in UseOAuthBearerTokens, but I get 401 responses to any requests with the [Authorize] attribute:

public partial class Startup
{
    static Startup()
    {
        PublicClientId = "self";

        UserManagerFactory = () => new UserManager<IdentityUser>(new UserStore<IdentityUser>());

        OAuthOptions = new OAuthAuthorizationServerOptions
        {
            //TokenEndpointPath = new PathString("/Token"),
            Provider = new ApplicationOAuthProvider(PublicClientId, UserManagerFactory),
            //AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
            //AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
            AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
            AuthenticationType = "ExternalBearer",
            AllowInsecureHttp = true,
        };
    }

    public static OAuthAuthorizationServerOptions OAuthOptions { get; private set; }

    public static Func<UserManager<IdentityUser>> UserManagerFactory { get; set; }

    public static string PublicClientId { get; private set; }

    // For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
    public void ConfigureAuth(IAppBuilder app)
    {
        //// Enable the application to use a cookie to store information for the signed in user
        //// and to use a cookie to temporarily store information about a user logging in with a third party login provider
        //app.UseCookieAuthentication(new CookieAuthenticationOptions());
        //app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

        OAuthBearerAuthenticationOptions bearerOptions = new OAuthBearerAuthenticationOptions();
        bearerOptions.AccessTokenFormat = OAuthOptions.AccessTokenFormat;
        bearerOptions.AccessTokenProvider = OAuthOptions.AccessTokenProvider;
        bearerOptions.AuthenticationMode = OAuthOptions.AuthenticationMode;
        bearerOptions.AuthenticationType = OAuthOptions.AuthenticationType;
        bearerOptions.Description = OAuthOptions.Description;
        bearerOptions.Provider = new CustomBearerAuthenticationProvider();
        bearerOptions.SystemClock = OAuthOptions.SystemClock;
        OAuthBearerAuthenticationExtensions.UseOAuthBearerAuthentication(app, bearerOptions);
    }
}

public class CustomBearerAuthenticationProvider : OAuthBearerAuthenticationProvider
    {
        public override Task ValidateIdentity(OAuthValidateIdentityContext context)
        {
            var claims = context.Ticket.Identity.Claims;
            if (claims.Count() == 0 || claims.Any(claim => claim.Issuer != "LOCAL AUTHORITY"))
                context.Rejected();
            return Task.FromResult<object>(null);
        }
    }

显然我错过其中第二应用程序有验证,该令牌从第一个应用程序来的某种方式的一部分。某种类型的公共签名密钥?

Obviously I'm missing the part where the second app has some way of validating that the tokens came from the first app. A public signing key of some kind?

这仅仅是一个概念证明。

This is just for a proof of concept.

编辑:本机关键建议的工作不够好,POC的演示,这是很好的了解有AS支持等关键场景实现选项

The machine key suggestion worked well enough for the POC demo, and it's good to know there are AS implementation options that support other key scenarios.

我是能够产生一个DEMO键(不要在生产中使用),使用这个网站:
<一href=\"http://aspnetresources.com/tools/machineKey\">http://aspnetresources.com/tools/machineKey

I was able to generate a DEMO key (do not use for production) using this site: http://aspnetresources.com/tools/machineKey

和放在℃在结果;&System.Web程序GT; 在IIS站点托管每个应用程序的Web.config元素。我也不得不删除一些特定的AS配置选项在启动类的资源服务器。

And placed the result under the <system.web> element in the web.config of each app hosted in the IIS site. I also had to remove some of the AS-specific config options in the Startup class of the resource server.

推荐答案

目前中间件(或者说产生的令牌)是不是真的设计工作跨应用程序。对于这些情况,你应该宁愿使用一个真正的授权服务器(例如,<一个href=\"https://github.com/thinktecture/Thinktecture.AuthorizationServer\">https://github.com/thinktecture/Thinktecture.AuthorizationServer).

Currently the middleware (or rather the produced token) is not really designed to work cross-application. For these scenario you should rather use a real authorization server (e.g. https://github.com/thinktecture/Thinktecture.AuthorizationServer).

这是说你可能得到它通过同步在这两个应用程序的计算机键(在web.config中的machineKey元素)工作。但我从来没有尝试过。

That said you might get it to work by synchronizing the machine key (machineKey element in web.config) in both applications. But I never tried it.

这篇关于OWIN多应用承载令牌认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆