本文介绍了验证访问令牌 - Asp.Net身份的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我使用ASP.Net身份来实现外部登录。用户与谷歌在登录后,我得到谷歌的外部访问令牌。然后,我做的第二API调用来这。换一个新的地方之一外部访问令牌

I'm using ASP.Net Identity to implement external logins. After user logins in with Google I get google's external access token. I then make a second api call to ObtainLocalAccessToken() which trades the external access token for a new local one.

ObtainLocalAccessToken()来电的它通过手动使HTTP调用和分析与供应商核实外部访问令牌user_ID的。

ObtainLocalAccessToken() calls VerifyExternalAccessToken() which verifies the external access token with the provider by manually making http calls and parsing the user_id.

我如何利用ASP​​.NET的身份以消除整个方法 VerifyExternalAccessToken()

How can I leverage ASP.NET identity to remove the entire method VerifyExternalAccessToken()?

我相信这就是 [HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)] 是不是吗?我想装饰 ObtainLocalAccessToken()端点与属性,并在头(发送external_access_token {'授权':'承载XXX'} ),它应该填充 User.Identity 无需手动验证外部访问令牌?我相信这是目的,但是我不能让它工作。我从谷歌发送一个有效的外部访问令牌,它得到一个401拒绝

I believe that's what [HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)] is for isn't it? I want to decorate ObtainLocalAccessToken() endpoint with that attribute and send the external_access_token in the header ({'Authorization' : 'Bearer xxx' }), and it should populate User.Identity without needing to manually verify the external access token? I believe that’s the purpose, however I cannot get it working. I send a valid external access token from google and it gets rejected with a 401.

我顺便说一句这一行Startup.Auth:

I have this line in Startup.Auth btw:

 app.UseOAuthBearerTokens(new OAuthAuthorizationServerOptions
        {
            TokenEndpointPath = new PathString("/Token"),
            Provider = new ApplicationOAuthProvider(),
            AuthorizeEndpointPath = new PathString("/AccountApi/ExternalLogin"),
            AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
            AllowInsecureHttp = true
        });



另外,也可以使用/令牌端点贸易的外部访问令牌为本地一?它的做法是正确的?

Alternatively, it is possible to use "/Token" endpoint to trade an external access token for a local one? Which approach is correct?

推荐答案

由Taiseer Joudeh研究实施

Studying the implementation by Taiseer Joudeh

/ ExternalLogin 端点替换 OWIN鉴权

AngularJS 的LoginController 使得到的外部身份验证的用户没有在身份提供者被发现时:

The AngularJS LoginController makes a call to the authService.obtainAccessToken when an externally authenticated user has not been found in Identity Provider:

        if (fragment.haslocalaccount == 'False') {
           ...
        }

        else {
            //Obtain access token and redirect to orders
            var externalData = { provider: fragment.provider,
                      externalAccessToken: fragment.external_access_token };
            authService.obtainAccessToken(externalData).then(function (response) {

                $location.path('/orders');

它使用的以对进行反向查找的谷歌的Facebook 的API来获得信息权利的承载令牌。

It uses the VerifyExternalAccessToken to perform a reverse lookup against Google and Facebook API's to get claim info for the bearer token.

        if (provider == "Facebook")
        {
            var appToken = "xxxxxx";
            verifyTokenEndPoint = string.Format("https://graph.facebook.com/debug_token?input_token={0}&access_token={1}", accessToken, appToken);
        }
        else if (provider == "Google")
        {
            verifyTokenEndPoint = string.Format("https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={0}", accessToken);
        }
        else
        {
            return null;
        }

如果发现令牌,它返回一个新的 ASP.NET 承载令牌

If token is found, it returns a new ASP.NET bearer token

        var accessTokenResponse = GenerateLocalAccessTokenResponse(user.UserName);

        return Ok(accessTokenResponse);






[HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)] OWIN中间件使用的外部承载标记的访问第三方的Cookie和注册一个新帐户(或找到现有的)。


With [HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)] the OWIN Middleware uses the external bearer token to access the 3rd party's Cookie and Register a new account (Or find existing).

OWIN中间件不能被配置为接受的外部承载标记的而不是局部权力标记。的外部承载标记的仅用于身份验证与注册。

OWIN Middleware cannot be configured to accept external bearer token instead of local authority tokens. External bearer tokens are only used for Authentication and Registration.

这篇关于验证访问令牌 - Asp.Net身份的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-20 08:09