使用外部访问令牌或本地访问令牌
[英]Use External Access Token or Local Access Token
问题描述
I am developing an application using ASP.NET MVC 5.2.2, Web API 2.2 and Katana/OWIN 3.0 . 
我正在使用ASP.NET MVC 5.2.2, Web API 2.2 and Katana/OWIN 3.0开发应用程序。 The application uses ASP.NET Identity 2.1 for local accounts and database. 该应用程序将ASP.NET Identity 2.1用于本地帐户和数据库。
I am using OAuth Authorization Server to generate access and refresh token. 我正在使用OAuth授权服务器来生成访问和刷新令牌。 I have Android and IOS apps which uses my local oauth authorization server. 我有使用我的本地oauth授权服务器的Android和IOS应用程序。 Android and IOS apps uses SDK to login with Facebook, Google, etc. After that the apps will send the (Facebook/Google/etc) access token to the server. Android和IOS应用程序使用SDK登录Facebook,Google等。之后,应用程序将(Facebook / Google / etc)访问令牌发送到服务器。 The server will validate access token with Facebook/Google/etc. 服务器将使用Facebook / Google /等验证访问令牌。
If it is valid then, 如果它是有效的,那么,
1) Should I generate new local access token(in Auth header) to apps for all future request?
2) Should the app send me Facebook/Gmail/etc access token(in Auth header) every time and the server validate the access token with Facebook/Gmail/etc each time?
3) If local access token expire, then the server is using refresh token to generate new access token.
1 个解决方案
解决方案1
16 已采纳 2014-09-12 01:53:07
after you validate your social provider external access token, you need to exchange this external access token with a local access token issued by your authorization server (Local authority). 验证社交提供程序外部访问令牌后,您需要将此外部访问令牌与授权服务器(本地机构)颁发的本地访问令牌交换。 All the details for this implementation can be found here: http://bitoftech.net/2014/08/11/asp-net-web-api-2-external-logins-social-logins-facebook-google-angularjs-app/ Let me know if this helps. 有关此实施的所有详细信息,请访问: http : //bitoftech.net/2014/08/11/asp-net-web-api-2-external-logins-social-logins-facebook-google-angularjs-app /如果有帮助,请告诉我。
Here is the exact steps I have followed to change the external access token with access token issues by Local Authority. 以下是我通过Local Authority更改外部访问令牌以及访问令牌问题所遵循的确切步骤。 The front end is an AngularJS application. 前端是AngularJS应用程序。 You can check the demo application here and see how I'm accessing the web api using Facebook access token http://ngauthenticationweb.azurewebsites.net/ 你可以在这里查看演示应用程序,看看我是如何使用Facebook访问令牌http://ngauthenticationweb.azurewebsites.net/访问web api的。
1- AngularJS application sends HTTP GET request to anonymous end point (/ExternalLogin) defined in our back-end API by specifying client_id, redirect_uri, response_type. 1- AngularJS应用程序通过指定client_id,redirect_uri,response_type将HTTP GET请求发送到我们的后端API中定义的匿名端点(/ ExternalLogin)。
2- Once the end point receives the GET request, it will check if the user is authenticated, and let we assume he is not authenticated, so it will notify the middleware responsible for the requested external provider to take the responsibility for this call, in our case it is Google. 2-一旦结束点收到GET请求,它将检查用户是否经过身份验证,并让我们假设他未经过身份验证,因此它将通知负责请求的外部提供商的中间件负责此呼叫,我们的情况是谷歌。
3- The consent screen for Google will be shown, and the user will provide his Google credentials to authenticate. 3-将显示Google的同意屏幕,用户将提供其Google凭据进行身份验证。
4- Google will callback our back-end API and Google will set an external cookie containing the outcome of the authentication from Google (contains all the claims from the external provider for the user). 4-谷歌将回调我们的后端API,谷歌将设置一个外部cookie,其中包含来自Google的身份验证结果(包含来自外部提供商的所有用户声明)。
5- Google middleware will be listing for an event named “Authenticated” where we'll have the chance to read all external claims set by Google. 5- Google中间件将列出名为“Authenticated”的活动,我们将有机会阅读Google设置的所有外部声明。 In our case we'll be interested in reading the claim named “AccessToken” which represents a Google Access Token, where the issuer for this claim is not LOCAL AUTHORITY, so we can't use this access token directly to authorize calls to our secure back-end API endpoints. 在我们的案例中,我们有兴趣阅读名为“AccessToken”的声明,该声明代表Google Access令牌,此声明的发行人不是本地授权,因此我们无法直接使用此访问令牌来授权我们的安全呼叫后端API端点。
6- Then we'll set the external provider external access token as custom claim named “ExternalAccessToken” and Google middleware will redirect back the end point (/ExternalLogin). 6-然后我们将外部提供商外部访问令牌设置为名为“ExternalAccessToken”的自定义声明,Google中间件将重定向回端点(/ ExternalLogin)。
7- Now the user is authenticated using the external cookie so we need to check that the client_id and redirect_uri set in the initial request are valid and this client is configured to redirect for the specified URI. 7-现在使用外部cookie对用户进行身份验证,因此我们需要检查初始请求中设置的client_id和redirect_uri是否有效,并且此客户端配置为重定向指定的URI。
8- Now the code checks if the external user_id along with the provider is already registered as local database account (with no password), in both cases the code will issue 302 redirect to the specified URI in the redirect_uri parameter, this URI will contain the following (“External Access Token”, “Has Local Account”, “Provider”, “External User Name”) as URL hash fragment not a query string. 8-现在代码检查外部user_id和提供者是否已经注册为本地数据库帐户(没有密码),在这两种情况下,代码将发出302重定向到redirect_uri参数中的指定URI,此URI将包含以下(“外部访问令牌”,“具有本地帐户”,“提供商”,“外部用户名”)作为URL哈希片段而不是查询字符串。
9- Once the AngularJS application receives the response, it will decide based on it if the user has local database account or not, based on this it will issue a request to one of the end points (/RegisterExternal or /ObtainLocalAccessToken). 9-一旦AngularJS应用程序收到响应,它将根据它决定用户是否具有本地数据库帐户,基于此,它将向其中一个端点(/ RegisterExternal或/ ObtainLocalAccessToken)发出请求。 Both end points accept the external access token which will be used for verification and then using it to obtain local access token issued by LOCAL AUTHORITY. 两个端点都接受外部访问令牌,该令牌将用于验证,然后使用它来获取LOCAL AUTHORITY颁发的本地访问令牌。 This local access token could be used to access our back-end API secured end points. 此本地访问令牌可用于访问我们的后端API安全端点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.