堆栈内存溢出
  简体   繁体   English

验证访问令牌-Asp.Net身份

[英]Verify Access Token - Asp.Net Identity

 原文  2015-06-27 21:55:10       c#/ oauth-2.0/ asp.net-identity/ asp.net-identity-2

问题描述

I'm using ASP.Net Identity to implement external logins. 我正在使用ASP.Net Identity来实现外部登录。 After user logins in with Google I get google's external access token. 用户使用Google登录后,我将获得google的外部访问令牌。 I then make a second api call to ObtainLocalAccessToken() which trades the external access token for a new local one. 然后,我对ObtainLocalAccessToken()进行第二次api调用,该调用将外部访问令牌交换为新的本地令牌。

ObtainLocalAccessToken() calls VerifyExternalAccessToken() which verifies the external access token with the provider by manually making http calls and parsing the user_id. ObtainLocalAccessToken()调用VerifyExternalAccessToken() ,后者通过手动进行http调用并解析user_id来与提供程序一起验证外部访问令牌。

How can I leverage ASP.NET identity to remove the entire method VerifyExternalAccessToken() ? 如何利用ASP.NET身份删除整个方法VerifyExternalAccessToken()

I believe that's what [HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)] is for isn't it? 我相信这是[HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)]的目的不是吗? I want to decorate ObtainLocalAccessToken() endpoint with that attribute and send the external_access_token in the header ( {'Authorization' : 'Bearer xxx' } ), and it should populate User.Identity without needing to manually verify the external access token? 我想用该属性装饰ObtainLocalAccessToken()端点,并在标头( {'Authorization' : 'Bearer xxx' } )中发送external_access_token,它应该填充User.Identity而无需手动验证外部访问令牌? I believe that's the purpose, however I cannot get it working. 我相信这是目的,但是我无法使其正常工作。 I send a valid external access token from google and it gets rejected with a 401. 我从Google发送了有效的外部访问令牌,但遭到401拒绝。

I have this line in Startup.Auth btw: 我在Startup.Auth btw中有这行: 

 app.UseOAuthBearerTokens(new OAuthAuthorizationServerOptions
        {
            TokenEndpointPath = new PathString("/Token"),
            Provider = new ApplicationOAuthProvider(),
            AuthorizeEndpointPath = new PathString("/AccountApi/ExternalLogin"),
            AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
            AllowInsecureHttp = true
        });

Alternatively, it is possible to use "/Token" endpoint to trade an external access token for a local one? 或者,可以使用“ /令牌”端点将外部访问令牌替换为本地访问令牌吗? Which approach is correct? 哪种方法正确?

1 个解决方案

解决方案1
 5 已采纳  2015-07-05 21:05:48

Studying the implementation by Taiseer Joudeh 研究Taiseer Joudeh的实现

the /ExternalLogin endpoint replaces the OWIN Authentication Challenge . /ExternalLogin端点取代了OWIN身份验证质询

The AngularJS LoginController makes a call to the authService.obtainAccessToken when an externally authenticated user has not been found in Identity Provider: 当在身份提供者中找不到外部认证的用户时, AngularJS LoginController会调用authService.obtainAccessToken 

        if (fragment.haslocalaccount == 'False') {
           ...
        }

        else {
            //Obtain access token and redirect to orders
            var externalData = { provider: fragment.provider,
                      externalAccessToken: fragment.external_access_token };
            authService.obtainAccessToken(externalData).then(function (response) {

                $location.path('/orders');

It uses the VerifyExternalAccessToken to perform a reverse lookup against Google and Facebook API's to get claim info for the bearer token. 它使用VerifyExternalAccessTokenGoogleFacebook API进行反向查找,以获取承载令牌的索偿信息。 

        if (provider == "Facebook")
        {
            var appToken = "xxxxxx";
            verifyTokenEndPoint = string.Format("https://graph.facebook.com/debug_token?input_token={0}&access_token={1}", accessToken, appToken);
        }
        else if (provider == "Google")
        {
            verifyTokenEndPoint = string.Format("https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={0}", accessToken);
        }
        else
        {
            return null;
        }

If token is found, it returns a new ASP.NET bearer token 如果找到令牌,则返回新的ASP.NET承载令牌 

        var accessTokenResponse = GenerateLocalAccessTokenResponse(user.UserName);

        return Ok(accessTokenResponse);

With [HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)] the OWIN Middleware uses the external bearer token to access the 3rd party's Cookie and Register a new account (Or find existing). 通过[HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)]OWIN中间件使用外部承载令牌访问第三者的Cookie并注册一个新帐户(或查找现有帐户)。

OWIN Middleware cannot be configured to accept external bearer token instead of local authority tokens. OWIN中间件不能配置为接受外部承载令牌,而不是本地授权令牌。 External bearer tokens are only used for Authentication and Registration. 外部承载令牌仅用于身份验证和注册。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 ASP.NET Identity验证ResetPassword令牌是否已过期 - ASP.NET Identity verify if ResetPassword token has expired Asp.Net Identity从一个应用程序池标识生成密码重置令牌,在另一个应用程序池标识和生成验证 - Asp.Net Identity Generate Password Reset Token from one Application Pool Identity and Verify on another ASP.NET身份-令牌 - ASP.NET Identity - Token ASP.NET Firebase验证令牌ID - ASP.NET Firebase Verify Token ID ASP.NET身份-无需框架即可验证密码 - ASP.NET Identity - Verify Password Without Framework 使用 ASP.NET Identity 的动态访问控制 - Dynamic Access Control with ASP.NET Identity 如何在ASP.NET Identity中将用户限制为仅一个访问令牌 - How to limit user to only one access token in ASP.NET Identity 您如何在ASP.NET 5 Identity中检索用户的访问令牌和机密? - How do you retrieve a users' access token and secret in ASP.NET 5 Identity? ASP.NET Identity(使用IdentityServer4)获取外部资源oauth访问令牌 - ASP.NET Identity (with IdentityServer4) get external resource oauth access token Asp.net 身份电子邮件确认令牌的问题:“无效令牌” - Issue with Asp.net identity Email Confirmation Token: “Invalid Token”
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM