stackoom
  简体   繁体   中英

API end point returning “Authorization has been denied for this request.” when sending bearer token

 原文  2015-01-12 22:42:14       c#/ oauth/ asp.net-web-api2/ owin

Question

I've followed a tutorial to protect a Web API with OAuth in C#.

I'm doing some tests and so far I've been able to get the access token successfully from /token . I'm using a Chrome extension called "Advanced REST Client" to test it. 

{"access_token":"...","token_type":"bearer","expires_in":86399}

This is what I get back from /token . Everything looks good.

My next request is to my test API Controller: 

namespace API.Controllers
{
    [Authorize]
    [RoutePrefix("api/Social")]
    public class SocialController : ApiController
    {
      ....


        [HttpPost]
        public IHttpActionResult Schedule(SocialPost post)
        {
            var test = HttpContext.Current.GetOwinContext().Authentication.User;

            ....
            return Ok();
        }
    }
}

The request is a POST and has the header: 

Authorization: Bearer XXXXXXXTOKEHEREXXXXXXX

I get: Authorization has been denied for this request. returned in JSON.

I tried doing a GET as well and I get what I would expect, that the method isn't supported since I didn't implement it.

Here is my Authorization Provider: 

public class SimpleAuthorizationServerProvider : OAuthAuthorizationServerProvider
{
    public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
    {
        context.Validated();
    }

    public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
    {

        context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });

        using (var repo = new AuthRepository())
        {
            IdentityUser user = await repo.FindUser(context.UserName, context.Password);

            if (user == null)
            {
                context.SetError("invalid_grant", "The user name or password is incorrect.");
                return;
            }
        }

        var identity = new ClaimsIdentity(context.Options.AuthenticationType);
        identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
        identity.AddClaim(new Claim(ClaimTypes.Role, "User"));

        context.Validated(identity); 

    }
}

Any help would be great. I'm not sure if it is the request or the code that is wrong.

edit: Here is my Startup.cs 

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        var config = new HttpConfiguration();
        WebApiConfig.Register(config);
        app.UseWebApi(config);
        ConfigureOAuth(app);
    }

    public void ConfigureOAuth(IAppBuilder app)
    {
        var oAuthServerOptions = new OAuthAuthorizationServerOptions()
        {
            AllowInsecureHttp = true,
            TokenEndpointPath = new PathString("/token"),
            AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
            Provider = new SimpleAuthorizationServerProvider()
        };

        // Token Generation
        app.UseOAuthAuthorizationServer(oAuthServerOptions);
        app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());

    }
}

3 answers

solution1
 30 ACCPTED  2015-08-21 22:58:51

Issue is pretty simple: Change order of your OWIN pipeline . 

public void Configuration(IAppBuilder app)
{
    ConfigureOAuth(app);
    var config = new HttpConfiguration();
    WebApiConfig.Register(config);
    app.UseWebApi(config);
}

For OWIN pipeline order of your configuration quite important. In your case, you try to use your Web API handler before the OAuth handler. Inside of it, you validate your request, found you secure action and try to validate it against current Owin.Context.User . At this point this user not exist because its set from the token with OAuth Handler which called later.

solution2
 2  2015-01-13 10:05:59

You have to add a claim with this schema: 

http://schemas.microsoft.com/ws/2008/06/identity/claims/role

best thing to do is to use the pre-defined set of claims: 

identity.AddClaim(new Claim(ClaimTypes.Role, "User"));

You can find ClaimTypes in System.Security.Claims .

Another thing you have to consider is filter roles in your Controller/Action: 

[Authorize(Roles="User")]

You can find a simple sample app, self-hosted owin with a jquery client here .

solution3
 0  2015-03-29 09:27:52

Looks like the version of " System.IdentityModel.Tokens.Jwt" that co-exists with the other Owin assemblies is not proper.

In case you're using "Microsoft.Owin.Security.Jwt" version 2.1.0, you ought to be using the "System.IdentityModel.Tokens.Jwt" assembly of version 3.0.2.

From the package manager console, try: 

Update-Package System.IdentityModel.Tokens.Jwt -Version 3.0.2

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure AD with Bearer token authentication for Web API not working throwing error as “Authorization has been denied for this request.” Authorization has been denied for this request. Always Authorization has been denied for this request. Postman Always get “Authorization has been denied for this request.” using Bearer tokens in Identity 2? Authorization has been denied for this request : JWT Bearer “Message”: “Authorization has been denied for this request.” OWIN middleware Always getting the “Authorization has been denied for this request.” message OAuth token authorization (request has been denied) httpclient token Authorization has been denied for this request How to Modify “Authorization has been denied for this request.” Using filter HostAuthenticationFilter
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM