基本Web API的ASP.NET的Oauth2认证
- 增加Token额外字段
- 增加Scope授权字段
- 持久化Token
- 设计Token的时间间隔
- 刷新Token后失效老的Token
- 自定义验证【重启IIS池Token失效,验证权限】
Oauth2 认证的流程
客户端发送口令(grant_type,client_id,client_secret)到服务端请求,认证返回access token ,然后客户端跟据获得的access token,根据Access Token获得权限去访问Web API.
配置与准备:此处我们使用 oauth2服务端实现,需要引入Authorize(授权服务器依赖)和resourceserver(资源服务器依赖)。
加了Authorize 标志之后,进行 API请求测试,如果不通过oauth2认证机制就会出现,请求被拒绝
开始时,当程序开始时,客户端访问API,设计进入安全认证状态
1 public void Configuration(IAppBuilder app) 2 { 3 4 app.UseCors(CorsOptions.AllowAll); 5 ConfigureAuth(app); 6 }
1 app.UseOAuthBearerTokens(new OAuthAuthorizationServerOptions 2 { 3 TokenEndpointPath = new PathString("/token"), 4 Provider = new ApplicationOAuthProvider(), 5 //RefreshTokenProvider = new ApplicationRefreshTokenProvider(), 6 AccessTokenExpireTimeSpan = TimeSpan.FromHours(2), 7 AuthenticationMode = AuthenticationMode.Active, 8 //HTTPS is allowed only AllowInsecureHttp = false 9 AllowInsecureHttp = true 10 //ApplicationCanDisplayErrors = false 11 });
第一步:根据密码口令获得Access Token(当密码和账号正确时)
/// <summary> /// 验证客户[client_id与client_secret验证] /// </summary> /// <param name="context"></param> /// <returns></returns> public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context) { //http://localhost:48339/token //grant_type=client_credentials&client_id=irving&client_secret=123456 string client_id; string client_secret; context.TryGetFormCredentials(out client_id, out client_secret); if (client_id == "abc" && client_secret == "123456") { context.Validated(client_id); } else { //context.Response.StatusCode = Convert.ToInt32(HttpStatusCode.OK); context.SetError("invalid_client", "client is not valid"); } return base.ValidateClientAuthentication(context); }
/// <summary> /// 客户端授权[生成access token] /// </summary> /// <param name="context"></param> /// <returns></returns> public override Task GrantClientCredentials(OAuthGrantClientCredentialsContext context) { /* var client = _oauthClientService.GetClient(context.ClientId); oAuthIdentity.AddClaim(new Claim(ClaimTypes.Name, client.ClientName)); */ //var oAuthIdentity = new ClaimsIdentity(context.Options.AuthenticationType); //oAuthIdentity.AddClaim(new Claim(ClaimTypes.Name, "iphone")); //var ticket = new AuthenticationTicket(oAuthIdentity, new AuthenticationProperties() { AllowRefresh = true }); //context.Validated(ticket); //return base.GrantClientCredentials(context); var oAuthIdentity = new ClaimsIdentity(context.Options.AuthenticationType); oAuthIdentity.AddClaim(new Claim(ClaimTypes.Name, "iphone")); //可以加入用户信息及其他必要信息到Token中,以便在api服务中使用(使用中HttpContext.Current.User.Identity即为oAuthIdentity对象,WebApi的Controller中可直接使用User.Identity)。 oAuthIdentity.AddClaim(new Claim("UserID", "irving")); var ticket = new AuthenticationTicket(oAuthIdentity, new AuthenticationProperties()); context.Validated(ticket);//认证通过 return base.GrantClientCredentials(context); }
第二步:刷新Token
/// <summary> /// 刷新Token[刷新refresh_token] /// </summary> /// <param name="context"></param> /// <returns></returns> public override Task GrantRefreshToken(OAuthGrantRefreshTokenContext context) { //enforce client binding of refresh token if (context.Ticket == null || context.Ticket.Identity == null || !context.Ticket.Identity.IsAuthenticated) { context.SetError("invalid_grant", "Refresh token is not valid"); } else { //Additional claim is needed to separate access token updating from authentication //requests in RefreshTokenProvider.CreateAsync() method } return base.GrantRefreshToken(context); }
接下来就是可以使用客户端通过账号密码对客户端进行调用,在一随笔中详细介绍。