问题描述
我使用ASP.Net身份来实现外部登录。用户与谷歌在登录后,我得到谷歌的外部访问令牌。然后,我做的第二API调用来这。换一个新的地方之一外部访问令牌
I'm using ASP.Net Identity to implement external logins. After user logins in with Google I get google's external access token. I then make a second api call to ObtainLocalAccessToken() which trades the external access token for a new local one.
ObtainLocalAccessToken()来电的它通过手动使HTTP调用和分析与供应商核实外部访问令牌user_ID的。
ObtainLocalAccessToken() calls VerifyExternalAccessToken() which verifies the external access token with the provider by manually making http calls and parsing the user_id.
我如何利用ASP.NET的身份以消除整个方法 VerifyExternalAccessToken()?
How can I leverage ASP.NET identity to remove the entire method VerifyExternalAccessToken()?
我相信这就是 [HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)] 是不是吗?我想装饰 ObtainLocalAccessToken()端点与属性,并在头(发送external_access_token {'授权':'承载XXX'} ),它应该填充 User.Identity 无需手动验证外部访问令牌?我相信这是目的,但是我不能让它工作。我从谷歌发送一个有效的外部访问令牌,它得到一个401拒绝
I believe that's what [HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)] is for isn't it? I want to decorate ObtainLocalAccessToken() endpoint with that attribute and send the external_access_token in the header ({'Authorization' : 'Bearer xxx' }), and it should populate User.Identity without needing to manually verify the external access token? I believe that’s the purpose, however I cannot get it working. I send a valid external access token from google and it gets rejected with a 401.
我顺便说一句这一行Startup.Auth:
I have this line in Startup.Auth btw:
app.UseOAuthBearerTokens(new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),
Provider = new ApplicationOAuthProvider(),
AuthorizeEndpointPath = new PathString("/AccountApi/ExternalLogin"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
AllowInsecureHttp = true
});
另外,也可以使用/令牌端点贸易的外部访问令牌为本地一?它的做法是正确的?
Alternatively, it is possible to use "/Token" endpoint to trade an external access token for a local one? Which approach is correct?
推荐答案
由Taiseer Joudeh研究实施
Studying the implementation by Taiseer Joudeh
/ ExternalLogin 端点替换 OWIN鉴权
AngularJS 的LoginController 使得到的外部身份验证的用户没有在身份提供者被发现时:
The AngularJS LoginController makes a call to the authService.obtainAccessToken when an externally authenticated user has not been found in Identity Provider:
if (fragment.haslocalaccount == 'False') {
...
}
else {
//Obtain access token and redirect to orders
var externalData = { provider: fragment.provider,
externalAccessToken: fragment.external_access_token };
authService.obtainAccessToken(externalData).then(function (response) {
$location.path('/orders');
它使用的的 以对进行反向查找的谷歌和的Facebook 的API来获得信息权利的承载令牌。
It uses the VerifyExternalAccessToken to perform a reverse lookup against Google and Facebook API's to get claim info for the bearer token.
if (provider == "Facebook")
{
var appToken = "xxxxxx";
verifyTokenEndPoint = string.Format("https://graph.facebook.com/debug_token?input_token={0}&access_token={1}", accessToken, appToken);
}
else if (provider == "Google")
{
verifyTokenEndPoint = string.Format("https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={0}", accessToken);
}
else
{
return null;
}
如果发现令牌,它返回一个新的 ASP.NET 承载令牌
If token is found, it returns a new ASP.NET bearer token
var accessTokenResponse = GenerateLocalAccessTokenResponse(user.UserName);
return Ok(accessTokenResponse);
是 [HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)] 在 OWIN中间件使用的外部承载标记的访问第三方的Cookie和注册一个新帐户(或找到现有的)。
With [HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)] the OWIN Middleware uses the external bearer token to access the 3rd party's Cookie and Register a new account (Or find existing).
OWIN中间件不能被配置为接受的外部承载标记的而不是局部权力标记。的外部承载标记的仅用于身份验证与注册。
OWIN Middleware cannot be configured to accept external bearer token instead of local authority tokens. External bearer tokens are only used for Authentication and Registration.
这篇关于验证访问令牌 - Asp.Net身份的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!