OAuth承载令牌无效

Question

I have a minimal setup of an auth-provider, which sets claims-identity

public class SimpleAuthorizationProvider : OAuthAuthorizationServerProvider
{
    public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
    {
        context.Validated();
    }

    public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
    {
        if (context.UserName != context.Password)
        {
            context.SetError("invalid_grant", "The user name or password is incorrect.");
            return;
        }

        var identity = new ClaimsIdentity(context.Options.AuthenticationType);
        identity.AddClaim(new Claim("sub", context.UserName));
        identity.AddClaim(new Claim("role", "user"));

        context.Validated(identity);
    }
}

I am trying to access hello-world-api, which is giving unauthorized access error.

public class HelloWorldApiController : ApiController
{

    [HttpGet]
    [Route("api/hello")]
    //[AllowAnonymous]
    [Authorize]
    public HttpResponseMessage FetchAllEnum()
    {
        return Request.CreateResponse(HttpStatusCode.OK, "Hello World!!!");
    }
}

But I am getting 401/unauthorized access for the above API. I do get the bearer token back to the web-api and I am also passing it to the server as Bearer ABCD**** . I do see that the authorization header is set while debugging in Visual Studio.

If I debug the AuthorizeAttribute , I am getting user.Identity.IsAuthenticated as false , which is actually causing the issue. But given that I do see the Authorization header set and I have set claims details in OAuthProvider , why is it that the AuthorizeAttribute is not reading that information?

Note: This is a Web API project so there are no references to the MVC AuthorizeAttribute.

Here is the OWIN setup:

public static class WebApiConfig
{
    public static HttpConfiguration Register()
    {
        var config = new HttpConfiguration();
        config.MapHttpAttributeRoutes();
        //config.SuppressDefaultHostAuthentication(); //tried with/without this line
        config.Filters.Add(new AuthorizeAttribute());
        config.EnableCors(new EnableCorsAttribute("*", "*", "*", "*"));
        return config;
    }
}

public class OwinConfiguration
{
    // ReSharper disable once UnusedMember.Local
    public void Configuration(IAppBuilder app)
    {
        ConfigureOAuth(app);
        app.UseCors(CorsOptions.AllowAll);
        app.UseWebApi(WebApiConfig.Register());
    }

    private void ConfigureOAuth(IAppBuilder app)
    {
        var options = new OAuthAuthorizationServerOptions
        {
            AllowInsecureHttp = true,
            TokenEndpointPath = new PathString("/token"),
            AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(60),
            Provider = new SimpleAuthorizationProvider()
        };

        app.UseOAuthAuthorizationServer(options);
        app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
    }
}

Answer 1

to make it work config.Filters.Add(new HostAuthenticationAttribute("bearer")); needed to add this line beofre authorize attribute...

public static HttpConfiguration Register()
{
    var config = new HttpConfiguration();
    config.MapHttpAttributeRoutes();

    config.Filters.Add(new HostAuthenticationAttribute("bearer")); //added this
    config.Filters.Add(new AuthorizeAttribute());
    config.EnableCors(new EnableCorsAttribute("*", "*", "*", "*"));
    return config;
}

Answer 2

Another possible solution which worked for me was to not use HostAuthenticationAttribute, but instead set the OWIN filter to be an Active filter like this:

var bearerOptions = new OAuthBearerAuthenticationOptions
{
    AccessTokenFormat = new JwtFormat(validationParameters),
    AuthenticationMode = AuthenticationMode.Active,
};