OAuth承載令牌無效
[英]OAuth bearer token not working
問題描述
我有一個auth-provider的最小設置,它設置了聲明身份
public class SimpleAuthorizationProvider : OAuthAuthorizationServerProvider
{
public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
context.Validated();
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
if (context.UserName != context.Password)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim("role", "user"));
context.Validated(identity);
}
}
我正在嘗試訪問hello-world-api,這會給出未經授權的訪問錯誤。
public class HelloWorldApiController : ApiController
{
[HttpGet]
[Route("api/hello")]
//[AllowAnonymous]
[Authorize]
public HttpResponseMessage FetchAllEnum()
{
return Request.CreateResponse(HttpStatusCode.OK, "Hello World!!!");
}
}
但我正在獲得上述API的401 /未經授權的訪問權限。 我確實將持有者令牌返回給web-api,我也將它作為Bearer ABCD****傳遞給服務器。 我確實看到在Visual Studio中調試時設置了授權標頭。
如果我調試AuthorizeAttribute ,我得到user.Identity.IsAuthenticated為false ,這實際上導致了問題。 但鑒於我確實看到了Authorization標頭集並且我在OAuthProvider設置了聲明詳細信息,為什么AuthorizeAttribute沒有讀取該信息?
注意:這是一個Web API項目,因此沒有對MVC AuthorizeAttribute的引用。
這是OWIN設置:
public static class WebApiConfig
{
public static HttpConfiguration Register()
{
var config = new HttpConfiguration();
config.MapHttpAttributeRoutes();
//config.SuppressDefaultHostAuthentication(); //tried with/without this line
config.Filters.Add(new AuthorizeAttribute());
config.EnableCors(new EnableCorsAttribute("*", "*", "*", "*"));
return config;
}
}
public class OwinConfiguration
{
// ReSharper disable once UnusedMember.Local
public void Configuration(IAppBuilder app)
{
ConfigureOAuth(app);
app.UseCors(CorsOptions.AllowAll);
app.UseWebApi(WebApiConfig.Register());
}
private void ConfigureOAuth(IAppBuilder app)
{
var options = new OAuthAuthorizationServerOptions
{
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(60),
Provider = new SimpleAuthorizationProvider()
};
app.UseOAuthAuthorizationServer(options);
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
}
}
2 個解決方案
解決方案1
5 2015-05-20 12:58:06
使其工作config.Filters.Add(new HostAuthenticationAttribute("bearer")); 需要添加此行beofre authorize屬性...
public static HttpConfiguration Register()
{
var config = new HttpConfiguration();
config.MapHttpAttributeRoutes();
config.Filters.Add(new HostAuthenticationAttribute("bearer")); //added this
config.Filters.Add(new AuthorizeAttribute());
config.EnableCors(new EnableCorsAttribute("*", "*", "*", "*"));
return config;
}
解決方案2
1 已采納 2017-06-02 22:46:35
另一個可能對我有用的解決方案是不使用HostAuthenticationAttribute,而是將OWIN過濾器設置為Active過濾器,如下所示:
var bearerOptions = new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = new JwtFormat(validationParameters),
AuthenticationMode = AuthenticationMode.Active,
};
OAuth承載令牌不適用於WebApi
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.