I am creating an ASP.NET MVC 5 application. I have no access to a database . Everything I do goes through a WebApi .
I want to authenticate users through this API and at the same time get an access token.
How can I do this without throwing away all of the account maintenance code that Visual Studio places in my MVC 5 application?
I thought that this would be in the framework somewhere, but everything I find on the internet seems like a hack. I refuse to hack anything dealing with security. How can I do this?
I'm working with a virgin ASP.NET MVC 5 application. There is no custom code here.
How can I add a hook into the log-in logic to get the token from the WebApi whenever the user signs in?
I have done the following:
public class ApplicationSignInManager : SignInManager<ApplicationUser, string>
{
// Constructor and other code have been hidden to simplify this sample.
public override async Task<SignInStatus> PasswordSignInAsync(string userName, string password, bool isPersistent, bool shouldLockout)
{
var status = await base.PasswordSignInAsync(userName, password, isPersistent, shouldLockout);
if (status == SignInStatus.Success)
{
var baseAddress = new Uri(ConfigurationManager.AppSettings["WebApiAddress"]);
var client = new HttpClient { BaseAddress = baseAddress };
var response = await client.PostAsync("Token", new StringContent(String.Format("grant_type=password&username={0}&password={1}", userName, password), Encoding.UTF8));
response.EnsureSuccessStatusCode();
var tokenResponse = await response.Content.ReadAsStringAsync();
var json = JObject.Parse(tokenResponse);
var token = json["access_token"].ToString();
token.ToString();
HttpContext.Current.Session["AccessToken"] = token;
}
return status;
}
}
I am going to refactor this code so that this becomes a method call.
If this is a bad idea, please let me know. If there is a better location for this, let me know that as well. I don't like this. It feels like a hack, but I don't know what else to do.
In the default template, you authenticate by calling /token with username, password, and grant_type, something like this:
POST /token HTTP/1.1
Host: yoursite.com
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=something@something.com&password=mypass
This should return a token that you can set as a header in your consecutive requests to authenticate your users, something like:
GET /api/sms HTTP/1.1
Host: yoursite.com
Authorization: Bearer hegRkzAdXHE-JzAccW-ANpJEyyMU0gBS80ZMxMa1mtpbqGNNtvifMsHVM1O7AinNhIkQuyHbz3wrRcUA0veAC32N8_Oig5f58S6mXiNUbA4y7qLbr4HPyXBQLNq3F29LsnDWJ-cPCivWB13cPeS2en6q39E_ix2CErDDLh-X5i-vmOrK5XgqK1PUlIkyRoA6fvwKKQ3HVrQvNV3D0WSBlIt7i8ykMTnIofAj1_4hpmrQdlLaxq3zfUG9JQbeedUSP5WcjTs1dwdUcJrZWUDrGLHp8bgQ4Av_zx27opx25yyWLOdVsceeth2ytZ0G5vo_m_PCApN9TJGtU70eaYdLa0ZLLIXpG1pDilpGgTeT-bp1qhA8LqKxtXkH54X_o8GlOstoT6NjeyEBG80ZjmHZS_dMn_Uve-qKDGdKPM4JuvBRU2Cqt2M5FiUdGsDjdkOxFVb4xwfAaz0QbwmOAz7xIywIszfEw3blg4eQLefPBAM
Cache-Control: no-cache
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.