context.Request.User在OWIN OAuthAuthorizationServerProvider中为null [英] context.Request.User is null in OWIN OAuthAuthorizationServerProvider
问题描述
我正在尝试使用OWIN为我的本地Intranet上的Web API v2端点实现OAuth。 API使用内置Windows身份验证托管在IIS中。简而言之,这就是我想要发生的事情。
I'm trying to implement OAuth using OWIN for a Web API v2 endpoint on my local intranet. The API is hosted in IIS using built-in Windows Authentication. In short, this is what I want to happen.
当我在/令牌上要求我的令牌时
-
将WindowsPrincipal拉出OWIN上下文
Pull the WindowsPrincipal out of the OWIN context
使用WindowsPrincipal中的SID在SQL表中查找此
用户的一些角色。
Use the SID from the WindowsPrincipal to look up some roles for this user in a SQL table.
创建一个存储用户名和角色的新ClaimsIdentity
Create a new ClaimsIdentity that stores the username and roles
将其转换为我发送的Json Web令牌(JWT)bak
Turn that into a Json Web Token (JWT) that I sent bak
当我使用我的令牌从我的API请求资源时
-
转换JWT承载令牌回到ClaimsIdentity
Convert the JWT Bearer token back to the ClaimsIdentity
使用该ClaimsIdentity通过
role授权对资源的请求
Use that ClaimsIdentity for authorizing requests to the resource by role
这样我就不必在每个
请求上对用户角色进行数据库查找。它刚刚进入JWT。
This way I don't have to do a database lookup for user roles on each request. It's just baked into the JWT.
我想我正确地设置了一切。我的Startup.Configuration方法如下所示。
I think I'm setting everything up correctly. My Startup.Configuration method looks like this.
public void Configuration(IAppBuilder app)
{
// token generation
// This is what drives the action when a client connects to the /token route
app.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions
{
// for demo purposes
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromHours(8),
AccessTokenFormat = GetMyJwtTokenFormat(),
Provider = new MyAuthorizationServerProvider()
});
//// token consumption
app.UseOAuthBearerAuthentication(
new OAuthBearerAuthenticationOptions()
{
Realm = "http://www.ccl.org",
Provider = new OAuthBearerAuthenticationProvider(),
AccessTokenFormat = GetMyJwtTokenFormat()
}
);
app.UseWebApi(WebApiConfig.Register());
}
MyAuthorizationServerProvider看起来像这样......
MyAuthorizationServerProvider looks like this...
public class MyAuthorizationServerProvider : OAuthAuthorizationServerProvider
{
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
// Since I'm hosting in IIS with Windows Auth enabled
// I'm expecting my WindowsPrincipal to be here, but it's null :(
var windowsPrincipal = context.OwinContext.Request.User.Identity;
// windowsPrincipal is null here. Why?
// Call SQL to get roles for this user
// create the identity with the roles
var id = new ClaimsIdentity(stuff, more stuff);
context.Validated(id);
}
}
我的问题是context.Request.U ser在这里是空的。我无法进入我的WindowsPrincipal。如果我创建一些其他虚拟中间件,我可以毫无问题地进入WindowsPrincipal。为什么在这种情况下它为空?我做错了什么?
My problem is that context.Request.User is null here. I can't get to my WindowsPrincipal. If I create some other dummy middleware, I can get to the WindowsPrincipal without issue. Why is it null in this context? Am I doing something wrong?
推荐答案
交换UseOAuthAuthorizationServer和UseOAuthBearerAuthentication的顺序。使用OAuthBearerAuthentication调用 UseStageMarker(PipelineStage.Authenticate); 使其(以及之前的所有内容)在ASP.NET管道中运行。在Authenticate阶段运行时,User为null。
Swap the order of UseOAuthAuthorizationServer and UseOAuthBearerAuthentication. UseOAuthBearerAuthentication calls UseStageMarker(PipelineStage.Authenticate); to make it (and everything before it) run earlier in the ASP.NET pipeline. User is null when you run during the Authenticate stage.
这篇关于context.Request.User在OWIN OAuthAuthorizationServerProvider中为null的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
