问题描述

我在我的.NET Web应用程序实现Web API 2服务体系。客户消费的要求是​​纯JavaScript，没有MVC / asp.net。我使用OWIN尽量使每本文。我似乎缺少与后其授权的认证步骤的东西。

I'm implementing a Web API 2 service architecture in my .NET web application. The client consuming the requests is pure javascript, no mvc/asp.net. I'm using OWIN to try to enable token authentication per this article OWIN Bearer Token Authentication with Web API Sample. I seem to be missing something with the authentication step after its authorized.

我的登录如下：

    [HttpPost]
    [AllowAnonymous]
    [Route("api/account/login")]
    public HttpResponseMessage Login(LoginBindingModel login)
    {
        // todo: add auth
        if (login.UserName == "[email protected]" && login.Password == "a")
        {
            var identity = new ClaimsIdentity(Startup.OAuthBearerOptions.AuthenticationType);
            identity.AddClaim(new Claim(ClaimTypes.Name, login.UserName));

            AuthenticationTicket ticket = new AuthenticationTicket(identity, new AuthenticationProperties());
            var currentUtc = new SystemClock().UtcNow;
            ticket.Properties.IssuedUtc = currentUtc;
            ticket.Properties.ExpiresUtc = currentUtc.Add(TimeSpan.FromMinutes(30));

            DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);

            return new HttpResponseMessage(HttpStatusCode.OK)
            {
                Content = new ObjectContent<object>(new
                {
                    UserName = login.UserName,
                    AccessToken = Startup.OAuthBearerOptions.AccessTokenFormat.Protect(ticket)
                }, Configuration.Formatters.JsonFormatter)
            };
        }

        return new HttpResponseMessage(HttpStatusCode.BadRequest);
    }

它返回

{
   accessToken: "TsJW9rh1ZgU9CjVWZd_3a855Gmjy6vbkit4yQ8EcBNU1-pSzNA_-_iLuKP3Uw88rSUmjQ7HotkLc78ADh3UHA3o7zd2Ne2PZilG4t3KdldjjO41GEQubG2NsM3ZBHW7uZI8VMDSGEce8rYuqj1XQbZzVv90zjOs4nFngCHHeN3PowR6cDUd8yr3VBLdZnXOYjiiuCF3_XlHGgrxUogkBSQ",
   userName: "[email protected]"
}

然后我尝试设置HTTP头文件承载进一步要求像AngularJS：

Then I try to set the HTTP header Bearer on further requests in AngularJS like:

$http.defaults.headers.common.Bearer = response.accessToken;

一个API，如：

to a API like:

    [HttpGet]
    [Route("api/account/profile")]
    [Authorize]
    public HttpResponseMessage Profile()
    {
        return new HttpResponseMessage(HttpStatusCode.OK)
        {
            Content = new ObjectContent<object>(new
            {
                UserName = User.Identity.Name
            }, Configuration.Formatters.JsonFormatter)
        };
    }

但无论我做什么，这个服务是'非法'。我失去了一些东西在这里？

but no matter what I do this service is 'unauthorized'. Am I missing something here?

推荐答案

与承载设定头'授权'+解决令牌，如：

Resolved by setting header 'Authorization' with Bearer + token like:

$http.defaults.headers.common["Authorization"] = 'Bearer ' + token.accessToken;

这篇关于.NET的Web API 2 OWIN承载令牌认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！