[英]Webapi get bearer token
我在練習asp.net webapi,想做分離授權服務。
所以我實現了基於token的授權服務(owin),以及數據提供者服務。 現在我想覆蓋數據提供程序服務中的 Authorize 屬性。 它必須從當前請求中獲取承載令牌,向授權服務發出請求,接收有關用戶及其角色的信息。
問題是:如何在我的自定義屬性中獲取不記名令牌,也許有更好的方法來進行這種“令牌轉移”?
我想像這樣使用它:
//data service
[CustomAttribute (Roles = "admin")]
public IEnumerable<string> Get()
{
return new string[] { "value1", "value2" };
}
public class CustomAttribute : System.Web.Mvc.AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext context)
{
using (WebClient client = new WebClient())
{
string bearerToken;
//somehow get token
client.Headers.Add("Authorization", "Bearer " + bearerToken);
string userinfo = client.DownloadString("authURL/GetUserInfo");
CustomUser user = JsonConvert.DeserializeObject<CustomUser>(userinfo);
if (!user.Roles == this.Roles)
{
//return 401
}
}
}
}
// authorization service
public async Task<UserInfoResponse> GetUserInfo()
{
var owinContext = HttpContext.Current.GetOwinContext();
int userId = owinContext.Authentication.User.Identity.GetUserId<int>();
var response = new UserInfoResponse()
{
UserId = userId.ToString(),
Roles = await UserManager.GetRolesAsync(userId)
};
return response;
}
要回答有關如何訪問請求的授權標頭中的不記名令牌的特定問題:
public class CustomAttribute : System.Web.Mvc.AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext context)
{
System.Net.Http.Headers.AuthenticationHeaderValue authorizationHeader = context.HttpContext.Request.Headers.Authorization;
// Check that the Authorization header is present in the HTTP request and that it is in the
// format of "Authorization: Bearer <token>"
if ((authorizationHeader == null) || (authorizationHeader.Scheme.CompareTo("Bearer") != 0) || (String.IsNullOrEmpty(authorizationHeader.Parameter)))
{
// return HTTP 401 Unauthorized
}
using (WebClient client = new WebClient())
{
client.Headers.Add("Authorization", "Bearer " + authorizationHeader.Parameter);
string userinfo = client.DownloadString("authURL/GetUserInfo");
CustomUser user = JsonConvert.DeserializeObject<CustomUser>(userinfo);
if (!user.Roles == this.Roles)
{
// I recommend return HTTP 403 Forbidden here, not 401. At this point
// the request has been authenticated via the bearer token, but the
// authenticated client does not have sufficient roles to execute the
// request, so they are forbidden from doing so. HTTP 401 Unauthorized
// is a bit of a misnomer because the actual intention is to determine
// whether or not the request is authenticated. HTTP 401 also implies
// that the request should be tried again with credentials, but that
// has already been done!
}
}
}
}
可能有更好的方法來做你想做的事情,但我對 MVC 方面的事情和你的應用程序的身份驗證/授權工作流程知之甚少,無法對此提供一個很好的答案。 至少這應該有助於知道從授權屬性中的何處找到標頭值。
正如布萊爾·艾倫 (Blair Allen) 難過的那樣,有更好的方法來做我想做的事。 使用 IdentityServer4 生成令牌,只需檢查令牌簽名,無需任何額外請求。 我切換到網絡核心,這是 mvc 客戶端的解決方案:接收令牌並將其保存在 cookie 中。
[HttpPost]
public async Task<IActionResult> Login(LoginViewModel model)
{
if(!ModelState.IsValid)
{
return View(model);
}
var tokenResult = await AuthService.LoginUserAsync(model.Email, model.Password);
if(!tokenResult.IsSuccess)
{
ModelState.AddModelError("","Wrong email or password");
return View(model);
}
Response.Cookies.Append("access_token", tokenResult.AccessToken, new CookieOptions(){
HttpOnly = true,
SameSite = SameSiteMode.Strict,
Secure = true
});
return RedirectToAction("Index", "Home");
}
然后只需使用
services.AddAuthentication(x =>
{
x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultForbidScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, config =>
{
config.Authority = configuration["TokenServerUrl"];
config.Events = new JwtBearerEvents
{
OnMessageReceived = context =>
{
var token = context.HttpContext.Request.Cookies["access_token"];
context.Token = token;
return Task.CompletedTask;
},
};
config.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = configuration["TokenServerUrl"],
ValidateLifetime = true,
};
});
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.