简体   繁体   English

OWIN OpenID连接授权无法授权安全控制器/操作

[英]OWIN OpenID connect authorization fails to authorize secured controller / actions

I am working on a project where a third party provider will act as an Oauth2 based Authorization Server. 我正在开发一个项目,其中第三方提供商将充当基于Oauth2的授权服务器。 An Asp.net MVC 5 based client which will send the user to the authorization server to authenticate (using login / password) and the auth server will return an access token back to the MVC client. 一个基于Asp.net MVC 5的客户端,它将用户发送给授权服务器进行身份验证(使用登录/密码),auth服务器将一个访问令牌返回给MVC客户端。 Any further calls to resource servers (APIs) will be made using the access token. 将使用访问令牌对资源服务器(API)进行任何进一步调用。

To achieve this I am using Microsoft.Owin.Security.OpenIdConnect and the UseOpenIdConnectAuthentication extension. 为此,我使用的是Microsoft.Owin.Security.OpenIdConnect和UseOpenIdConnectAuthentication扩展。 I am able to successfully redirect and get the access token from the auth server but the client is not creating an Authentication Cookie. 我能够成功重定向并从auth服务器获取访问令牌,但客户端没有创建身份验证Cookie。 Every time I try to access a secured page, I get the callback page with access token. 每次我尝试访问安全页面时,都会获得带有访问令牌的回调页面。

What am I missing here? 我在这里错过了什么? My current code is below. 我目前的代码如下。

The secured controller action: 安全控制器动作:

namespace MvcWebApp.Controllers
    public class SecuredController : Controller
        // GET: Secured
        public ActionResult Index()
            return View((User as ClaimsPrincipal).Claims);

The Startup Class: 启动类:

public class Startup
    public void Configuration(IAppBuilder app)

        app.UseCookieAuthentication(new CookieAuthenticationOptions
            AuthenticationMode = AuthenticationMode.Active,
            AuthenticationType = "ClientCookie",
            CookieName = CookieAuthenticationDefaults.CookiePrefix + "ClientCookie",
            ExpireTimeSpan = TimeSpan.FromMinutes(5)

        // ***************************************************************************
        // Approach 1 : ResponseType = "id_token token"
        // ***************************************************************************
        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
            AuthenticationMode = AuthenticationMode.Active,
            AuthenticationType = OpenIdConnectAuthenticationDefaults.AuthenticationType,
            SignInAsAuthenticationType = app.GetDefaultSignInAsAuthenticationType(),
            Authority = "https://thirdparty.com.au/oauth2",
            ClientId = "_Th4GVMa0JSrJ8RKcZrzbcexk5ca",
            ClientSecret = "a3GVJJbLHkrn9nJRj3IGNvk5eGQa",
            RedirectUri = "http://mvcwebapp.local/",
            ResponseType = "id_token token",
            Scope = "openid",

            Configuration = new OpenIdConnectConfiguration
                AuthorizationEndpoint = "https://thirdparty.com.au/oauth2/authorize",
                TokenEndpoint = "https://thirdparty.com.au/oauth2/token",
                UserInfoEndpoint = "https://thirdparty.com.au/oauth2/userinfo",

            Notifications = new OpenIdConnectAuthenticationNotifications
                SecurityTokenValidated = n =>
                    var token = n.ProtocolMessage.AccessToken;

                    // persist access token in cookie
                    if (!string.IsNullOrEmpty(token))
                            new Claim("access_token", token));

                    return Task.FromResult(0);

                AuthenticationFailed = notification =>
                    if (string.Equals(notification.ProtocolMessage.Error, "access_denied", StringComparison.Ordinal))


                    return Task.FromResult<object>(null);

        // ***************************************************************************
        // Approach 2 : ResponseType = "code"
        // ***************************************************************************
        //app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        //    AuthenticationMode = AuthenticationMode.Active,
        //    AuthenticationType = OpenIdConnectAuthenticationDefaults.AuthenticationType,
        //    SignInAsAuthenticationType = app.GetDefaultSignInAsAuthenticationType(),
        //    Authority = "https://thirdparty.com.au/oauth2",
        //    ClientId = "_Th4GVMa0JSrJ8RKcZrzbcexk5ca",
        //    ClientSecret = "a3GVJJbLHkrn9nJRj3IGNvk5eGQa",
        //    RedirectUri = "http://mvcwebapp.local/",
        //    ResponseType = "code",
        //    Scope = "openid",

        //    Configuration = new OpenIdConnectConfiguration
        //    {
        //        AuthorizationEndpoint = "https://thirdparty.com.au/oauth2/authorize",
        //        TokenEndpoint = "https://thirdparty.com.au/oauth2/token",
        //        UserInfoEndpoint = "https://thirdparty.com.au/oauth2/userinfo",
        //    },

        //    Notifications = new OpenIdConnectAuthenticationNotifications
        //    {
        //        AuthorizationCodeReceived = async (notification) =>
        //        {
        //            using (var client = new HttpClient())
        //            {
        //                var configuration = await notification.Options.ConfigurationManager.GetConfigurationAsync(notification.Request.CallCancelled);                                        
        //                var request = new HttpRequestMessage(HttpMethod.Get, configuration.TokenEndpoint);
        //                request.Content = new FormUrlEncodedContent(new Dictionary<string, string>
        //                {
        //                    {OpenIdConnectParameterNames.ClientId, notification.Options.ClientId},
        //                    {OpenIdConnectParameterNames.ClientSecret, notification.Options.ClientSecret},
        //                    {OpenIdConnectParameterNames.Code, notification.ProtocolMessage.Code},
        //                    {OpenIdConnectParameterNames.GrantType, "authorization_code"},
        //                    {OpenIdConnectParameterNames.ResponseType, "token"},
        //                    {OpenIdConnectParameterNames.RedirectUri, notification.Options.RedirectUri}
        //                });

        //                var response = await client.SendAsync(request, notification.Request.CallCancelled);
        //                response.EnsureSuccessStatusCode();

        //                var payload = JObject.Parse(await response.Content.ReadAsStringAsync());

        //                // Add the access token to the returned ClaimsIdentity to make it easier to retrieve.
        //                notification.AuthenticationTicket.Identity.AddClaim(new Claim(
        //                    type: OpenIdConnectParameterNames.AccessToken,
        //                    value: payload.Value<string>(OpenIdConnectParameterNames.AccessToken)));
        //            }
        //        }
        //    }



TL;DR: use ResponseType = "id_token token" and it should work. TL; DR:使用ResponseType = "id_token token"它应该可以工作。

In OpenID Connect, response_type=token is not considered as a legal value: http://openid.net/specs/openid-connect-core-1_0.html#Authentication . 在OpenID Connect中, response_type=token不被视为合法值: http//openid.net/specs/openid-connect-core-1_0.html#Authentication

Sometimes implemented for backward compatibility reasons, response_type=token is not supported by the OIDC middleware developed by MSFT: an exception is always thrown when no id_token is returned by the OpenID Connect provider (which also excludes the valid code flow). 有时为了向后兼容性而实现,MSFT开发的OIDC中间件不支持response_type=token :当OpenID Connect提供程序没有返回id_token时, id_token抛出异常(这也排除了有效的code流)。 You can find more information on this other SO post . 您可以在此其他SO帖子中找到更多信息。

(remark: in SecurityTokenValidated , you're replacing the ticket created by the OIDC middleware using n.AuthenticationTicket = new AuthenticationTicket(...) : it's not the recommended approach and will result in a ClaimsIdentity missing the essential claims. You should consider removing the assignation and simply add new claims like you do for the access_token claim) (注意:在SecurityTokenValidated ,您正在使用n.AuthenticationTicket = new AuthenticationTicket(...)替换OIDC中间件创建的票证:这不是推荐的方法,并且会导致ClaimsIdentity缺少必要的声明。您应该考虑删除分配并简单地添加新的声明,就像你为access_token声明做的那样)

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Asp.net 4.8 WebForms授权使用Owin OpenId Connect Authentication (app.UseOpenIdConnectAuthentication) - Asp.net 4.8 WebForms authorization using Owin OpenId Connect Authentication (app.UseOpenIdConnectAuthentication) Orchard CMS,OWIN,OpenID Connect和Azure网站 - Orchard CMS, OWIN, OpenID Connect, and Azure Website Owin Bearer令牌认证+授权控制器 - Owin Bearer Token Authentication + Authorize controller openid connect owin 如何验证来自 Azure AD 的令牌? - How does the openid connect owin validate the token from Azure AD? OWIN OpenID Connect中间件不能用ClaimsPrincipal代替当前用户 - OWIN OpenID Connect Middleware Not Replacing Current User with ClaimsPrincipal ASP.NET OWIN OpenID Connect 未创建用户身份验证 - ASP.NET OWIN OpenID Connect not creating user authentication 如何在 OpenID-Connect OWIN MVC 中重定向之前执行操作 - How to perform an action before redirect in OpenID-Connect OWIN MVC 如何使用OWIN通过令牌直接通过OpenID Connect进行身份验证 - How can I use OWIN to authenticate with OpenID Connect directly with a token 如何从 OWIN 中的 ./well-known/openid-connect URL 获取 OpenId Connect 配置? - How to get OpenId Connect Configuration from ./well-known/openid-connect URL in OWIN? ASP.NET 使用外部 OpenID Connect 提供程序进行核心认证/授权 - ASP.NET Core authentication/authorization with external OpenID Connect provider
粤ICP备18138465号  © 2020-2024 STACKOOM.COM