[英]DotNetOpenAuth OpenID Flow w/ Own Auth Server
I'm having a lot of difficulty finding answers to a scenario I have to implement using DotNetOpenAuth
and a particular flow I have to deal with. 我很难找到我必须使用DotNetOpenAuth
实现的场景的答案以及我必须处理的特定流程。
In the graphic below I am in control of both the MVC site and API. 在下图中,我可以控制MVC站点和API。 The API is both my Authorisation server and my Resource Server. API是我的授权服务器和我的资源服务器。
Username and Password Flow 用户名和密码流
The process is fairly obvious in a case where the user has created a local account on my system as I'm dealing with user name and password credetials to log them into the site which I can then pass to my Token endpoint and subequently pass to the HandleTokenRequest
of my authorisation server in order to get access tokens and refresh tokens for my client to then start accessing resources. 在用户在我的系统上创建本地帐户的情况下,该过程相当明显,因为我正在处理用户名和密码凭据以将其登录到站点,然后我可以将其传递到我的令牌端点并且随后传递给HandleTokenRequest
我的授权服务器,以获取访问令牌并刷新令牌,然后我的客户端开始访问资源。
OpenID Flow OpenID流程
The flow that I'm at a loss with currently is if a user decides to log in to my site using their Google credentials (for example). 我目前处于亏损状态的流程是用户决定使用他们的Google凭据登录我的网站(例如)。 In this scenario how do I grant them access tokens and refresh tokens from my own authorisation server in my API? 在这种情况下,如何在我的API中授予他们访问令牌和刷新令牌的权限?
What would I include in the request to my API Token endpoint? 我在API令牌端点的请求中包含哪些内容?
I have written my own API client which inherits from the WebServerClient
class that is part of the DotNetOpenAuth
library. 我编写了自己的API客户端,它继承自作为DotNetOpenAuth
库一部分的WebServerClient
类。
I have seen that there is an interface provided for handling tokens called IServiceProviderTokenManager
but that appears to be used in OpenID provider scenarios and not in an API client implementation like mine so I'm assuming that I need to write a custom class for storing and retrieving my own API tokens on the client side but would like that confirmed as well? 我已经看到有一个接口用于处理名为IServiceProviderTokenManager
令牌,但似乎在OpenID提供程序场景中使用,而不是像我的API客户端实现中那样使用,所以我假设我需要编写一个自定义类来存储和检索我自己的API令牌在客户端,但也希望确认?
Its worth mentioning that both the web site and the API have complete access to the same security database but only the API has access to the database where any resources are held. 值得一提的是,网站和API都可以完全访问相同的安全数据库,但只有API可以访问保存任何资源的数据库。
Just for completeness I thought I'd update this question with my answer. 为了完整起见,我想我会用我的答案更新这个问题。
What I ended up doing was moving the Authorize
and Token
endpoints into my MVC 4 application rather than having them within the API itself. 我最终做的是将Authorize
和Token
端点移动到我的MVC 4应用程序中,而不是将它们放在API本身中。
This way when calling the Authorize endpoint with a logged in user (thus having an ASP.NET FormsAuthentication cookie present) it is possible to get an authorisation code granted when the request processing hits this code: 这样,当使用登录用户调用Authorize端点(因此存在ASP.NET FormsAuthentication cookie)时,可以在请求处理命中此代码时获得授权代码:
// Consider auto-approving if safe to do so.
if (((OAuth2AuthorizationServer)this.authorizationServer.AuthorizationServerServices).CanBeAutoApproved(pendingRequest))
{
var approval = this.authorizationServer.PrepareApproveAuthorizationRequest(pendingRequest, HttpContext.User.Identity.Name);
return this.authorizationServer.Channel.PrepareResponse(approval).AsActionResult();
}
Once you have an authorisation code you can then call into the Token endpoint using a WebServerClient
instance and calling its RequestUserAuthorization
method. 获得授权代码后,您可以使用WebServerClient
实例调用Token端点并调用其RequestUserAuthorization
方法。
When this calls back you can then call the ProcessUserAuthorization
method which will return an IAuthorizationState
object with your access token and refresh token. 当回调时,您可以调用ProcessUserAuthorization
方法,该方法将返回带有访问令牌和刷新令牌的IAuthorizationState
对象。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.