Web API授权access_token验证
[英]Web API authorization access_token validation
问题描述
Now I am working with authorization with OAUTH2.0. 
现在我正在使用OAUTH2.0授权。 I want to do my own authorization server(WEB API). 我想做自己的授权服务器(WEB API)。 I have a Dummy MVC project to test this. 我有一个Dummy MVC项目来测试这个。 I succeeded to create some access token in server(WEB API) using 'SimpleAuthorizationServerProvider'. 我成功地使用'SimpleAuthorizationServerProvider'在服务器(WEB API)中创建了一些访问令牌。 I have to call some API Calls but should authorized. 我必须调用一些API调用,但应该授权。 so I can send this call with my token like. 所以我可以用我的令牌发送这个电话。
https://localhost/Profile?access_token=...
or can send access_token through header. 或者可以通过标头发送access_token。 This much is OK now from my side. 从我这边现在可以了。 But I need to validate this access_token in server side. 但是我需要在服务器端验证这个access_token。 I can get access token from client(Dummy MVC project). 我可以从客户端获取访问令牌(Dummy MVC项目)。
private static TokenResponse GetToken()
{
var client = new OAuth2Client(new Uri("http://localhost:2727/token"),"client1", "secret");
var response = client.RequestResourceOwnerPasswordAsync("bob", "bob").Result;
return response;
}
But could not uderstand where it's created from server side. 但无法理解它是从服务器端创建的。 And Where we Can Validate the access_token in server side (Web API). 我们可以在哪里验证服务器端的access_token(Web API)。 I read lot but still very much confused. 我看了很多但仍然非常困惑。 Please help me. 请帮我。 Thanks!! 谢谢!!
1 个解决方案
解决方案1
8 2014-05-11 10:20:47
You don't need to worry about access token on server side. 您无需担心服务器端的访问令牌。 Access token on server side is parsed and validated by Katana middleware. 服务器端的访问令牌由Katana中间件解析和验证。 If you need more details on how access token is created/used then search for DeserializeTicket and SerializeTicket methods in Katana sources , you will find that these methods are used in conjunction with Token to serialize/deserialize ClaimsIdentity which you have pased on client side(DummyMVC). 如果您需要有关如何创建/使用访问令牌的更多详细信息,然后在Katana源中搜索DeserializeTicket和SerializeTicket方法,您会发现这些方法与Token一起使用以序列化/反序列化您在客户端上设置的ClaimsIdentity(DummyMVC) )。
Anyway you are using SimpleAuthorizationServerProvider from Embedded AuthorizationServer Thinktecture project which is wrapper around OAuthAuthorizationServerProvider. 无论如何,您正在使用Embedded AuthorizationServer Thinktecture项目中的SimpleAuthorizationServerProvider,它是OAuthAuthorizationServerProvider的包装器。 Am I right? 我对吗? I belive you want to validate credentials. 我相信你想要验证凭据。 In your case you can override GrantResourceOwnerCredentials. 在您的情况下,您可以覆盖GrantResourceOwnerCredentials。
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
// validate user credentials (demo!)
// user credentials should be stored securely (salted, iterated, hashed yada)
if (context.UserName != context.Password)
{
context.Rejected();
return;
}
context.Validated();
}
Best will be if you look at Thinktecture examples . 如果你看一下Thinktecture的例子 , 那将是最好的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.