从网页API 2 IAuthenticationFilter AuthenticateAsync方法设置cookie的 [英] Set cookie from Web Api 2 IAuthenticationFilter AuthenticateAsync method
问题描述
使用Web API 2.2,我有一个自定义的 IAuthenticationFilter
,我使用的客户端认证请求,自定义方案。
Using Web Api 2.2, I have a custom IAuthenticationFilter
that I use for authenticating client requests with a custom scheme.
基本上,当客户端未经过身份验证,并希望访问受保护的资源,他发送授权
标题:授权:MyCustomScheme XXXXXXX
旁边的请求。然后过滤器验证凭据,验证用户,并生成进一步访问一个无状态的认证令牌(类似于 JWT )。
Basically, when a client is not authenticated and wants to access a protected resource, he sends an Authorization
header: Authorization: MyCustomScheme XXXXXXX
alongside the request. The filter then validates the credentials, authenticates the user and generates a stateless authentication token for further access (similar to a JWT).
我想生成的认证令牌存储在cookie中。当传入的请求present,cookie将被本地一个单独的过滤器验证(这是不是在这里psented $ P $)。
I would like to store the resulting authentication token in a cookie. When present in incoming requests, the cookie is locally validated in a separate filter (which is not presented here).
我的问题是,如果我尝试这样设置的cookie:
My problem is that if I try to set the cookie like this:
Task IAuthenticationFilter.AuthenticateAsync(HttpAuthenticationContext context, CancellationToken cancellationToken)
{
if (context.Request.Headers.Authorization != null &&
string.Equals(context.Request.Headers.Authorization.Scheme, "MyCustomScheme", StringComparison.OrdinalIgnoreCase))
{
// This works
CustomPrincipal principal = this.ValidateCredentials(context.Request.Headers.Authorization.Parameter);
context.Principal = principal;
// This doesn't work: context.ActionContext.Response is null
var cookie = new CookieHeaderValue("MySessionCookie", principal.AuthenticationToken) { Path = "/", HttpOnly = true };
context.ActionContext.Response.Headers.AddCookies(new CookieHeaderValue[] { cookie });
}
return Task.FromResult(0);
}
然后,它失败,因为 context.ActionContext.Response
为空。我怎么一个cookie从内部 AuthenticateAsync
?
Then it fails because context.ActionContext.Response
is null. How do I add a cookie to the response from within AuthenticateAsync
?
请参阅相关的:<一href=\"http://stackoverflow.com/questions/29378822/setting-cookie-values-in-httpauthenticationcontext-for-iauthenticationfilter\">Setting对于IAuthenticationFilter cookie值在HttpAuthenticationContext
(你可以在评论中看到,人们遇到了同样的问题)。
See related: Setting Cookie values in HttpAuthenticationContext for IAuthenticationFilter (you can see in the comments that people experience the same issue).
推荐答案
我得到了滤波器通过实施 IActionFilter
除了上班 IAuthenticationFilter
。因为你可以访问的请求,响应和在同一地点的用户身份这种方法是有效的。这是我的实现:
I got the filter to work by implementing IActionFilter
in addition to IAuthenticationFilter
. This method is valid because you get access to the request, the response and the user identity in the same place. This is my implementation:
async Task<HttpResponseMessage> IActionFilter.ExecuteActionFilterAsync(HttpActionContext actionContext, CancellationToken cancellationToken, Func<Task<HttpResponseMessage>> continuation)
{
// Process the request pipeline and get the response (this causes the action to be executed)
HttpResponseMessage response = await continuation();
// If the user is authenticated and the token is not present in the request cookies, then it needs to be set
CustomPrincipal principal = actionContext.ControllerContext.RequestContext.Principal as CustomPrincipal;
if (principal != null && !actionContext.Request.Headers.GetCookies("MySessionCookie").Any())
{
// Set the cookie in the response
var cookie = new CookieHeaderValue("MySessionCookie", principal.AuthenticationToken) { Path = "/", HttpOnly = true };
response.Headers.AddCookies(new CookieHeaderValue[] { cookie });
}
return response;
}
我觉得这个方法非常不现实的(混合接口),你一定要拥有通过异步延续回调为例,或访问响应在 IAuthenticationFilter.AuthenticateAsync
(能够访问在上下文中的作用的结果( IHttpActionResult
),就像在同一界面中的 ChallengeAsync
法)
I find this method very unpractical (mixing interfaces), you should definitely have access to the response in IAuthenticationFilter.AuthenticateAsync
(via an async continuation callback for exemple, or by being able to access the action result (IHttpActionResult
) in the context, like in the ChallengeAsync
method of the same interface).
这篇关于从网页API 2 IAuthenticationFilter AuthenticateAsync方法设置cookie的的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!