来自自定义身份验证服务器的MVC前端身份JWT令牌

Question

I am have been stumbling around the web for the past day trying to figure out how I can attach an MVC ASP.NET 4.5 app to an authentication server that I created using examples posted on bitoftech.net ( http://bitoftech.net/2015/01/21/asp-net-identity-2-with-asp-net-web-api-2-accounts-management/ )

Now the authentication/webapi server itself is running well, I had to make some mods to get this working in MySQL but all in all it is working and protecting the webapi endpoints, so excellent on that part.

But for the life of me I cannot figure out how to get an MVC app to simply use this token endpoint to consume tokens and authenticate users.

I can make a call to the token api as part of a login form and receive the token, but I have no idea on how I am suppose to consume that token for use in the MVC app. Also I think I have it all wrong as I think the OWIN middleware should be the one calling the authentication server. But in saying that, I don't want the user to be navigated to the authentication server for the login either.

This is a bit confusing, I am very new to this type of authentication, and it seems the more I read the more I get confused, maybe because of all the different examples out there, all for slightly different approaches and some very outdated examples.

So if anyone can point me to an example of what it is I am trying to achieve of make one up and post I would be very grateful.

Regards Jason Coley

This is the code that my accountservice uses to call the identity server

var client = new OAuth2Client(new Uri(oathBaseUrl()));
TokenResponse token = await client.RequestResourceOwnerPasswordAsync(model.Email, model.Password);

I have used the Thinktecture.IdentityModel.Client here to simplify this process.

I have also used this method below which does give me the access-token correctly.

        using (var client = new HttpClient(new HttpClientHandler ))
        {
            client.BaseAddress = new Uri(oathBaseUrl());
            client.DefaultRequestHeaders.Accept.Clear();
            client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));

            var values = new Dictionary<string, string>
            {
                { OAuth2Constants.GrantType, OAuth2Constants.Password },
                { OAuth2Constants.UserName, model.Email },
                { OAuth2Constants.Password, model.Password }
            };

            var form = new FormUrlEncodedContent(values);

            var response = client.PostAsync("", form).Result;
            if (response.IsSuccessStatusCode)
            {
                response.EnsureSuccessStatusCode();

                var tokenResponse = response.Content.ReadAsStringAsync().Result;
                var json = JObject.Parse(tokenResponse);
                var jwt = json["access_token"].ToString();

Answer 1

The simplest thing to do would be to pass the token value into a httponly cookie and use that in your app in the normal way to identify the user. If you post the code where you get the token I can probably expand; there are libraries to handle this for you