[英]Authorization header while using IdentityModel.AspNetCore
I'm using IdentityModel.AspNetCore Package to access a protected API using client credential flow.我正在使用IdentityModel.AspNetCore Package使用客户端凭据流访问受保护的 API。
In my startup, I have the following configuration在我的启动中,我有以下配置
services.AddAccessTokenManagement(options =>
{
options.Client.Clients.Add("oauth", new ClientCredentialsTokenRequest
{
Address = Configuration.GetValue<string>("Endpoint"),
ClientId = Configuration.GetValue<string>("ClientId"),
ClientSecret = Configuration.GetValue<string>("ClientSecret"),
Scope = Configuration.GetValue<string>("Scope")
});
});
services.AddClientAccessTokenClient("client", configureClient: client =>
{
client.BaseAddress = new Uri(Configuration.GetValue<string>("ApiBaseUrl"));
});
In my service I'm getting a client instance using IHttpClientFactory
在我的服务中,我正在使用IHttpClientFactory
获取客户端实例
var client = clientFactory.CreateClient("client");
This code is working fine, and I can access the API.这段代码运行良好,我可以访问 API。
My question is, when I expand the client instance I get from clientFactory
, the Authorization header in there is null.我的问题是,当我扩展从clientFactory
获得的客户端实例时,其中的授权 header 是 null。
So I'm very confused how this is working.所以我很困惑这是如何工作的。
I expected that it'll have Authorization header value set with the bearer token details.我预计它将使用不记名令牌详细信息设置授权 header 值。
So how is this working?那么这是如何工作的呢? How is the bearer token set by IdentityModel? IdentityModel 如何设置不记名令牌?
(API is correctly authorizing it seems as if I change the client secret it'll give a 401) (API 正确授权,好像我更改了客户端密码,它会给出 401)
.NET allows you to attach DelegatingHandler
s to an HttpClient
to intercept and modify the requests & responses. .NET 允许您将DelegatingHandler
附加到HttpClient
以拦截和修改请求和响应。 After you send a request, it goes through a stack of handlers before actually being sent through the network.在您发送请求后,它会在实际通过网络发送之前经过一堆处理程序。
public class MessageHandler1 : DelegatingHandler
{
protected async override Task<HttpResponseMessage> SendAsync(
HttpRequestMessage request, CancellationToken cancellationToken)
{
Debug.WriteLine("Process request");
// Call the inner handler.
var response = await base.SendAsync(request, cancellationToken);
Debug.WriteLine("Process response");
return response;
}
}
IdentityModel library works the same way. IdentityModel 库的工作方式相同。 It intercepts the request, and adds the Authorization
handler before sending it.它拦截请求,并在发送之前添加Authorization
处理程序。 Then it checks the response for HTTP 401
errors, and refreshes the token and repeats the request.然后它检查HTTP 401
错误的响应,并刷新令牌并重复请求。
Here's how it works ( source ):这是它的工作原理( 来源):
protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
await SetTokenAsync(request, forceRenewal: false, cancellationToken);
var response = await base.SendAsync(request, cancellationToken);
// retry if 401
if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized)
{
response.Dispose();
await SetTokenAsync(request, forceRenewal: true, cancellationToken);
return await base.SendAsync(request, cancellationToken);
}
return response;
}
As for the actual Authorization
header that seems to be missing, you can find it inside HttpResponseMessage.RequestMessage
property.至于似乎缺少的实际Authorization
header,您可以在HttpResponseMessage.RequestMessage
属性中找到它。
From the docs (emphasis mine):从文档(强调我的):
This property is set to the request message which led to this response message.此属性设置为导致此响应消息的请求消息。 In the case of a request sent using HttpClient, this property will point to the actual request message leading to the final response .在使用 HttpClient 发送请求的情况下,此属性将指向导致最终响应的实际请求消息。 Note that this may not be the same message the user provided when sending the request.请注意,这可能与用户在发送请求时提供的消息不同。 This is typically the case if the request needs to be resent due to redirects or authentication.如果由于重定向或身份验证需要重新发送请求,通常就是这种情况。 This property can be used to determine what URL actually created the response (useful in case of redirects)此属性可用于确定 URL 实际创建的响应(在重定向的情况下很有用)
Further references:更多参考资料:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.