[英]Verify Access Token - Asp.Net Identity
I'm using ASP.Net Identity to implement external logins. 我正在使用ASP.Net Identity来实现外部登录。 After user logins in with Google I get google's external access token. 用户使用Google登录后,我将获得google的外部访问令牌。 I then make a second api call to ObtainLocalAccessToken() which trades the external access token for a new local one. 然后,我对ObtainLocalAccessToken()进行第二次api调用,该调用将外部访问令牌交换为新的本地令牌。
ObtainLocalAccessToken()
calls VerifyExternalAccessToken() which verifies the external access token with the provider by manually making http calls and parsing the user_id. ObtainLocalAccessToken()
调用VerifyExternalAccessToken() ,后者通过手动进行http调用并解析user_id来与提供程序一起验证外部访问令牌。
How can I leverage ASP.NET identity to remove the entire method VerifyExternalAccessToken()
? 如何利用ASP.NET身份删除整个方法VerifyExternalAccessToken()
?
I believe that's what [HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)]
is for isn't it? 我相信这是[HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)]
的目的不是吗? I want to decorate ObtainLocalAccessToken()
endpoint with that attribute and send the external_access_token in the header ( {'Authorization' : 'Bearer xxx' }
), and it should populate User.Identity
without needing to manually verify the external access token? 我想用该属性装饰ObtainLocalAccessToken()
端点,并在标头( {'Authorization' : 'Bearer xxx' }
)中发送external_access_token,它应该填充User.Identity
而无需手动验证外部访问令牌? I believe that's the purpose, however I cannot get it working. 我相信这是目的,但是我无法使其正常工作。 I send a valid external access token from google and it gets rejected with a 401. 我从Google发送了有效的外部访问令牌,但遭到401拒绝。
I have this line in Startup.Auth btw: 我在Startup.Auth btw中有这行:
app.UseOAuthBearerTokens(new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),
Provider = new ApplicationOAuthProvider(),
AuthorizeEndpointPath = new PathString("/AccountApi/ExternalLogin"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
AllowInsecureHttp = true
});
Alternatively, it is possible to use "/Token" endpoint to trade an external access token for a local one? 或者,可以使用“ /令牌”端点将外部访问令牌替换为本地访问令牌吗? Which approach is correct? 哪种方法正确?
Studying the implementation by Taiseer Joudeh 研究Taiseer Joudeh的实现
the /ExternalLogin
endpoint replaces the OWIN Authentication Challenge . /ExternalLogin
端点取代了OWIN身份验证质询 。
The AngularJS LoginController
makes a call to the authService.obtainAccessToken when an externally authenticated user has not been found in Identity Provider: 当在身份提供者中找不到外部认证的用户时, AngularJS LoginController
会调用authService.obtainAccessToken :
if (fragment.haslocalaccount == 'False') {
...
}
else {
//Obtain access token and redirect to orders
var externalData = { provider: fragment.provider,
externalAccessToken: fragment.external_access_token };
authService.obtainAccessToken(externalData).then(function (response) {
$location.path('/orders');
It uses the VerifyExternalAccessToken to perform a reverse lookup against Google and Facebook API's to get claim info for the bearer token. 它使用VerifyExternalAccessToken对Google和Facebook API进行反向查找,以获取承载令牌的索偿信息。
if (provider == "Facebook")
{
var appToken = "xxxxxx";
verifyTokenEndPoint = string.Format("https://graph.facebook.com/debug_token?input_token={0}&access_token={1}", accessToken, appToken);
}
else if (provider == "Google")
{
verifyTokenEndPoint = string.Format("https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={0}", accessToken);
}
else
{
return null;
}
If token is found, it returns a new ASP.NET bearer token 如果找到令牌,则返回新的ASP.NET承载令牌
var accessTokenResponse = GenerateLocalAccessTokenResponse(user.UserName);
return Ok(accessTokenResponse);
With [HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)]
the OWIN Middleware uses the external bearer token to access the 3rd party's Cookie and Register a new account (Or find existing). 通过[HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)]
, OWIN中间件使用外部承载令牌访问第三者的Cookie并注册一个新帐户(或查找现有帐户)。
OWIN Middleware cannot be configured to accept external bearer token instead of local authority tokens. OWIN中间件不能配置为接受外部承载令牌,而不是本地授权令牌。 External bearer tokens are only used for Authentication and Registration. 外部承载令牌仅用于身份验证和注册。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.