[英]OAuth bearer token not working
I have a minimal setup of an auth-provider, which sets claims-identity 我有一个auth-provider的最小设置,它设置了声明身份
public class SimpleAuthorizationProvider : OAuthAuthorizationServerProvider
{
public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
context.Validated();
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
if (context.UserName != context.Password)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim("role", "user"));
context.Validated(identity);
}
}
I am trying to access hello-world-api, which is giving unauthorized access error. 我正在尝试访问hello-world-api,这会给出未经授权的访问错误。
public class HelloWorldApiController : ApiController
{
[HttpGet]
[Route("api/hello")]
//[AllowAnonymous]
[Authorize]
public HttpResponseMessage FetchAllEnum()
{
return Request.CreateResponse(HttpStatusCode.OK, "Hello World!!!");
}
}
But I am getting 401/unauthorized access for the above API. 但我正在获得上述API的401 /未经授权的访问权限。 I do get the bearer token back to the web-api and I am also passing it to the server as
Bearer ABCD****
. 我确实将持有者令牌返回给web-api,我也将它作为
Bearer ABCD****
传递给服务器。 I do see that the authorization header is set while debugging in Visual Studio. 我确实看到在Visual Studio中调试时设置了授权标头。
If I debug the AuthorizeAttribute
, I am getting user.Identity.IsAuthenticated
as false
, which is actually causing the issue. 如果我调试
AuthorizeAttribute
,我得到user.Identity.IsAuthenticated
为false
,这实际上导致了问题。 But given that I do see the Authorization header set and I have set claims details in OAuthProvider
, why is it that the AuthorizeAttribute
is not reading that information? 但鉴于我确实看到了Authorization标头集并且我在
OAuthProvider
设置了声明详细信息,为什么AuthorizeAttribute
没有读取该信息?
Note: This is a Web API project so there are no references to the MVC AuthorizeAttribute. 注意:这是一个Web API项目,因此没有对MVC AuthorizeAttribute的引用。
Here is the OWIN setup: 这是OWIN设置:
public static class WebApiConfig
{
public static HttpConfiguration Register()
{
var config = new HttpConfiguration();
config.MapHttpAttributeRoutes();
//config.SuppressDefaultHostAuthentication(); //tried with/without this line
config.Filters.Add(new AuthorizeAttribute());
config.EnableCors(new EnableCorsAttribute("*", "*", "*", "*"));
return config;
}
}
public class OwinConfiguration
{
// ReSharper disable once UnusedMember.Local
public void Configuration(IAppBuilder app)
{
ConfigureOAuth(app);
app.UseCors(CorsOptions.AllowAll);
app.UseWebApi(WebApiConfig.Register());
}
private void ConfigureOAuth(IAppBuilder app)
{
var options = new OAuthAuthorizationServerOptions
{
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(60),
Provider = new SimpleAuthorizationProvider()
};
app.UseOAuthAuthorizationServer(options);
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
}
}
to make it work config.Filters.Add(new HostAuthenticationAttribute("bearer"));
使其工作
config.Filters.Add(new HostAuthenticationAttribute("bearer"));
needed to add this line beofre authorize attribute... 需要添加此行beofre authorize属性...
public static HttpConfiguration Register()
{
var config = new HttpConfiguration();
config.MapHttpAttributeRoutes();
config.Filters.Add(new HostAuthenticationAttribute("bearer")); //added this
config.Filters.Add(new AuthorizeAttribute());
config.EnableCors(new EnableCorsAttribute("*", "*", "*", "*"));
return config;
}
Another possible solution which worked for me was to not use HostAuthenticationAttribute, but instead set the OWIN filter to be an Active filter like this: 另一个可能对我有用的解决方案是不使用HostAuthenticationAttribute,而是将OWIN过滤器设置为Active过滤器,如下所示:
var bearerOptions = new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = new JwtFormat(validationParameters),
AuthenticationMode = AuthenticationMode.Active,
};
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.