承载令牌授权
[英]Bearer token Authorization
问题描述
I am having a problem with Identity Server 3 and bearer token authentication. 
我在Identity Server 3和承载令牌身份验证方面遇到问题。
Basically, I can call my Web API methods with an expired access token and the Web API authenticates the user and returns the data. 基本上,我可以使用过期的访问令牌来调用Web API方法,并且Web API会对用户进行身份验证并返回数据。
I have set my client to have an access token lifetime of 360 seconds and this indeed is the case when I check the claim. 我已将我的客户端设置为具有360秒的访问令牌生存期,这确实是我检查索赔时的情况。
How do I go about ensuring my Web API cannot be called with an expired access token. 如何确保无法使用过期的访问令牌调用Web API。 Do I need to set something in my IdentityServerBearerTokenAuthenticationOptions ? 我是否需要在IdentityServerBearerTokenAuthenticationOptions进行设置?
Thanks. 谢谢。
1 个解决方案
解决方案1
0 2015-04-22 18:03:18
When the request comes in the very first thing we do is check if the identity is authenticated and that the authentication type is "Bearer". 当请求到来时,我们要做的第一件事就是检查身份是否已通过身份验证,并且身份验证类型为“承载”。
private static bool RequestIsAuthenticated(HttpActionContext actionContext)
{
return (actionContext.RequestContext.Principal.Identity.AuthenticationType == "Bearer" && actionContext.RequestContext.Principal.Identity.IsAuthenticated);
}
If this returns false we return a HttpStatusCode.Unauthorized. 如果返回false,则返回HttpStatusCode.Unauthorized。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.