[英]Authentication fails for get request using Asp.net Identity
I have a Api Controller which returns a image for get request. 我有一个Api控制器,该控制器返回用于获取请求的图像。 I want to authorize this request.
我想授权此请求。 So I added the Authorize attribute to action.
因此,我将Authorize属性添加到操作中。 I am using Asp.net Identity framework for authorization.
我正在使用Asp.net身份框架进行授权。 When I run my application I logged in to application using username/password sending to /Token via ajax.
运行我的应用程序时,我使用通过Ajax发送到/ Token的用户名/密码登录到应用程序。 Then I get the access_token and store it.
然后,我获取access_token并将其存储。 Problem is when I reference an Image tag with src attrib (which that src points to the above said api controller), I don't have a way to send access token with that.
问题是,当我引用带有src attrib的Image标签时(该src指向上述api控制器),我没有办法发送访问令牌。 How will i implement this?
我将如何实施?
public partial class Startup
{
static Startup()
{
PublicClientId = "self";
UserManagerFactory = () => new UserManager<User>(new UserStore<User>(new ImagePerfektDbContext()));
OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),
Provider = new ApplicationOAuthProvider(PublicClientId, UserManagerFactory),
AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
AllowInsecureHttp = true
};
}
public static OAuthAuthorizationServerOptions OAuthOptions { get; private set; }
public static Func<UserManager<User>> UserManagerFactory { get; set; }
public static string PublicClientId { get; private set; }
public void ConfigureAuth(IAppBuilder app)
{
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login")
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
app.UseOAuthBearerTokens(OAuthOptions);
I see what you mean. 我明白你的意思了。 It's never a good idea to append the access token in the src attribute URL as a route parameter either.
将访问令牌作为路径参数添加到src属性URL中也绝不是一个好主意。
What I would do...assuming you are storing the access token in the authentication ticket, I would mark the action method with "Anonymous" action filter and remove the "Authorize" action filter. 我会做的...假设您将访问令牌存储在身份验证票证中,我将使用“匿名”操作过滤器标记该操作方法,并删除“授权”操作过滤器。 Then, inside the action method code, I would attempt to retrieve the access token from authentication ticket (or wherever you are storing it), validate it and finally return the image, or not, based on the success of the validation.
然后,在操作方法代码中,我将基于验证成功,尝试从身份验证票证(或将其存储在任何地方)中检索访问令牌,对其进行验证,最后是否返回图像。
I hope it makes sense 我希望这是有道理的
Leo 狮子座
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.