堆棧內存溢出
  簡體   English   中英

Webapi 獲取不記名令牌

[英]Webapi get bearer token

 原文  2018-04-30 15:36:51       c#/ asp.net-web-api2

問題描述

我在練習asp.net webapi,想做分離授權服務。

所以我實現了基於token的授權服務(owin),以及數據提供者服務。 現在我想覆蓋數據提供程序服務中的 Authorize 屬性。 它必須從當前請求中獲取承載令牌,向授權服務發出請求,接收有關用戶及其角色的信息。

問題是:如何在我的自定義屬性中獲取不記名令牌,也許有更好的方法來進行這種“令牌轉移”?

我想像這樣使用它:

//data service
[CustomAttribute (Roles = "admin")]
public IEnumerable<string> Get()
{
    return new string[] { "value1", "value2" };
}



public class CustomAttribute : System.Web.Mvc.AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext  context)
    {
        using (WebClient client = new WebClient())
        {
            string bearerToken;
            //somehow get token
            client.Headers.Add("Authorization", "Bearer " + bearerToken);
            string userinfo = client.DownloadString("authURL/GetUserInfo");
            CustomUser user = JsonConvert.DeserializeObject<CustomUser>(userinfo);
            if (!user.Roles == this.Roles)
            {
                    //return 401
            }
        } 
    }
}


// authorization service
public async Task<UserInfoResponse> GetUserInfo()
{ 
    var owinContext = HttpContext.Current.GetOwinContext();
    int userId = owinContext.Authentication.User.Identity.GetUserId<int>();
    var response = new UserInfoResponse()
    {
        UserId = userId.ToString(),
        Roles = await UserManager.GetRolesAsync(userId)
    }; 
    return response;
}

2 個解決方案

解決方案1
 2  2018-07-13 12:57:11

要回答有關如何訪問請求的授權標頭中的不記名令牌的特定問題:

public class CustomAttribute : System.Web.Mvc.AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext context)
    {
        System.Net.Http.Headers.AuthenticationHeaderValue authorizationHeader = context.HttpContext.Request.Headers.Authorization;

        // Check that the Authorization header is present in the HTTP request and that it is in the
        // format of "Authorization: Bearer <token>"
        if ((authorizationHeader == null) || (authorizationHeader.Scheme.CompareTo("Bearer") != 0) || (String.IsNullOrEmpty(authorizationHeader.Parameter)))
        {
            // return HTTP 401 Unauthorized
        }

        using (WebClient client = new WebClient())
        {
            client.Headers.Add("Authorization", "Bearer " + authorizationHeader.Parameter);
            string userinfo = client.DownloadString("authURL/GetUserInfo");
            CustomUser user = JsonConvert.DeserializeObject<CustomUser>(userinfo);
            if (!user.Roles == this.Roles)
            {
                    // I recommend return HTTP 403 Forbidden here, not 401. At this point
                    // the request has been authenticated via the bearer token, but the
                    // authenticated client does not have sufficient roles to execute the
                    // request, so they are forbidden from doing so. HTTP 401 Unauthorized
                    // is a bit of a misnomer because the actual intention is to determine
                    // whether or not the request is authenticated. HTTP 401 also implies
                    // that the request should be tried again with credentials, but that
                    // has already been done!
            }
        } 
    }
}

可能有更好的方法來做你想做的事情,但我對 MVC 方面的事情和你的應用程序的身份驗證/授權工作流程知之甚少,無法對此提供一個很好的答案。 至少這應該有助於知道從授權屬性中的何處找到標頭值。

解決方案2
 0 已采納  2021-04-26 14:16:29

正如布萊爾·艾倫 (Blair Allen) 難過的那樣,有更好的方法來做我想做的事。 使用 IdentityServer4 生成令牌,只需檢查令牌簽名,無需任何額外請求。 我切換到網絡核心,這是 mvc 客戶端的解決方案:接收令牌並將其保存在 cookie 中。

[HttpPost]
public async Task<IActionResult> Login(LoginViewModel model)
{
    if(!ModelState.IsValid)
    {
        return View(model);
    }

    var tokenResult = await AuthService.LoginUserAsync(model.Email, model.Password);
    if(!tokenResult.IsSuccess)
    {
        ModelState.AddModelError("","Wrong email or password");
        return View(model);

    }

    Response.Cookies.Append("access_token", tokenResult.AccessToken, new CookieOptions(){
        HttpOnly = true,
        SameSite = SameSiteMode.Strict,
        Secure = true
    });

    return RedirectToAction("Index", "Home");

}

然后只需使用

services.AddAuthentication(x =>
{
    x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    x.DefaultForbidScheme = JwtBearerDefaults.AuthenticationScheme;
    x.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
    x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;

})
.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, config =>
{
    config.Authority = configuration["TokenServerUrl"];
    config.Events = new JwtBearerEvents
    {
        OnMessageReceived = context =>
        {
            var token = context.HttpContext.Request.Cookies["access_token"];
            context.Token = token;
            return Task.CompletedTask;

        },

    };
    config.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
        ValidIssuer = configuration["TokenServerUrl"],
        ValidateLifetime = true,
    };
});

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 Owin Bearer令牌不適用於WebApi 使用 webAPI 承載令牌的 SignalR 身份驗證 OAuth承載令牌不適用於WebApi 在 ASP.NET WebAPI 中檢索不記名令牌 雖然Owin WebAPI Bearer Token通過了 SignalR 獲取服務器上的不記名令牌 從承載令牌中獲取信息 通過提供代理令牌處理來自webapi的長持有令牌 未使用IdentityServer3承載令牌調用We​​bAPI授權屬性 Blazor WebAssembly 調用受保護的 WebAPI 方法並中繼不記名令牌
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM