用于 OpenID Connect 的 OWIN 中间件 - 代码流(流类型 - AuthorizationCode)文档?
[英]OWIN middleware for OpenID Connect - Code flow ( Flow type - AuthorizationCode) documentation?
问题描述
In my implementation I am using OpenID-Connect Server (Identity Server v3+) to authenticate Asp.net MVC 5 app (with AngularJS front-end)
在我的实现中,我使用 OpenID-Connect Server (Identity Server v3+) 来验证 Asp.net MVC 5 应用程序(使用 AngularJS 前端)
I am planning to use OID Code flow (with Scope Open_ID) to authenticate the client (RP).我计划使用 OID 代码流(带有 Scope Open_ID)来验证客户端 (RP)。 For the OpenID connect middle-ware, I am using OWIN (Katana Project) components.对于 OpenID 连接中间件,我使用的是 OWIN(Katana 项目)组件。
Before the implementation, I want to understand back-channel token request, refresh token request process, etc using OWIN.. But I am unable to find any documentation for this type of implementation (most of the available examples use Implicit flow).在实现之前,我想了解使用 OWIN 的反向通道令牌请求、刷新令牌请求过程等。但我无法找到此类实现的任何文档(大多数可用示例使用隐式流程)。
I could find samples for generic Code flow implementation for ID Server v3 here https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source我可以在这里找到 ID Server v3 的通用代码流实现示例https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source
I am looking for a similar one using OWIN middleware ?我正在寻找使用 OWIN 中间件的类似产品? Does anyone have any pointers ?有没有人有任何指示?
2 个解决方案
解决方案1
32 已采纳 2015-11-12 01:02:48
Edit: good news, code flow and response_mode=query support was finally added to Katana, as part of the 4.1 release (that shipped in November 2019): https://github.com/aspnet/AspNetKatana/wiki/Roadmap#410-release-november-2019 .编辑:好消息,代码流和response_mode=query支持最终添加到 Katana,作为 4.1 版本(于 2019 年 11 月发布)的一部分: https : //github.com/aspnet/AspNetKatana/wiki/Roadmap#410- 2019 年 11 月发布。
The OpenID Connect middleware doesn't support the code flow: http://katanaproject.codeplex.com/workitem/247 (it's already fixed in the ASP.NET 5 version, though). OpenID Connect 中间件不支持代码流: http : //katanaproject.codeplex.com/workitem/247 (不过它已经在 ASP.NET 5 版本中修复了)。
Actually, only the implicit flow ( id_token ) is officially supported, and you have to use the response_mode=form_post extension.实际上,官方只支持隐式流( id_token ),您必须使用response_mode=form_post扩展。 Trying to use the authorization code flow will simply result in an exception being thrown during the callback, because it won't be able to extract the (missing) id_token from the authentication response.尝试使用授权代码流只会导致在回调期间抛出异常,因为它将无法从身份验证响应中提取(丢失) id_token 。
Though not directly supported, you can also use the hybrid flow ( code + id_token (+ token) ), but it's up to you to implement the token request part.虽然不直接支持,但您也可以使用混合流( code + id_token (+ token) ),但由您来实现令牌请求部分。 You can see https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/dev/samples/Nancy/Nancy.Client/Startup.cs#L82-L115 for an example.例如,您可以查看https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/dev/samples/Nancy/Nancy.Client/Startup.cs#L82-L115 。
解决方案2
1 2018-01-31 07:32:03
The answer and comment replies by Pinpoint are spot on. Pinpoint 的回答和评论回复很到位。 Thanks!谢谢!
But if you are willing to step away from the NuGet package and instead run modified source code for Microsoft.Owin.Security.OpenIdConnect you can get code ( code ) flow with form_post.但是,如果您愿意离开 NuGet 包,转而为 Microsoft.Owin.Security.OpenIdConnect 运行修改后的源代码,则可以使用 form_post 获取代码 ( code ) 流。
Of course this can be said for all open source project problems but this was an quick solution for a big thing in my case so I thought I'd share that it could be an option.当然,对于所有开源项目问题都可以这样说,但在我的情况下,这是一个大问题的快速解决方案,所以我想我会分享它可能是一个选择。
I downloaded code from https://github.com/aspnet/AspNetKatana , added the csproj to my solution and removed lines from https://github.com/aspnet/AspNetKatana/blob/dev/src/Microsoft.Owin.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs in AuthenticateCoreAsync().我从https://github.com/aspnet/AspNetKatana下载了代码,将 csproj 添加到我的解决方案中,并从https://github.com/aspnet/AspNetKatana/blob/dev/src/Microsoft.Owin.Security 中删除了行。 AuthenticateCoreAsync() 中的OpenIdConnect/OpenidConnectAuthenticationHandler.cs 。
You must then combine it with backchannel calls and then create your own new ClaimsIdentity() to set as the notification.AuthenticationTicket.然后,您必须将它与反向通道调用结合起来,然后创建您自己的新 ClaimsIdentity() 以设置为 notification.AuthenticationTicket。
// Install-Package IdentityModel to handle the backchannel calls in a nicer fashion
AuthorizationCodeReceived = async notification =>
{
var configuration = await notification.Options.ConfigurationManager
.GetConfigurationAsync(notification.Request.CallCancelled);
var tokenClient = new TokenClient(configuration.TokenEndpoint,
notification.Options.ClientId, notification.Options.ClientSecret,
AuthenticationStyle.PostValues);
var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(
notification.ProtocolMessage.Code,
"http://localhost:53004/signin-oidc",
cancellationToken: notification.Request.CallCancelled);
if (tokenResponse.IsError
|| string.IsNullOrWhiteSpace(tokenResponse.AccessToken)
|| string.IsNullOrWhiteSpace(tokenResponse.RefreshToken))
{
notification.HandleResponse();
notification.Response.Write("Error retrieving tokens.");
return;
}
var userInfoClient = new UserInfoClient(configuration.UserInfoEndpoint);
var userInfoResponse = await userInfoClient.GetAsync(tokenResponse.AccessToken);
if (userInfoResponse.IsError)
{
notification.HandleResponse();
notification.Response.Write("Error retrieving user info.");
return;
}
..
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.