我有3个应用程序; OAuth 2.0身份验证服务器,用于生成令牌,OAuth客户端请求令牌,OAuth资源服务器提供Restful API。这些都是MVC 3 Web应用程序。 我的问题是如何验证从客户端到达OAuth资源服务器的访问令牌? 例如,OAuth客户端收到来自具有访问令牌的OAuth服务器的响应。然后客户端将此令牌添加到标头中,然后向OAuth资源服务器发出请求以调用API函数之一。 即使我可以在标头[身份验证]中看到访问令牌,我找不到验证此令牌的方法。 因为我使用MVC3通过Area设计Restful API,所以我不能使用与SOAP web服务一起使用的下面的函数。
private static IPrincipal VerifyOAuth2(HttpRequestMessageProperty httpDetails, Uri requestUri, params string[] requiredScopes) {
// for this sample where the auth server and resource server are the same site,
// we use the same public/private key.
using (var signing = PixidoRest.MvcApplication.CreateAuthorizationServerSigningServiceProvider())
{
using (var encrypting = PixidoRest.MvcApplication.CreateResourceServerEncryptionServiceProvider())
{
var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(signing, encrypting));
return resourceServer.GetPrincipal(httpDetails, requestUri, requiredScopes);
}
}
}
因为我无法路径“HttpRequestMessageProperty”,所以我被困在那里验证我从客户端收到的AccesToken。如何在MVC 3 Restful API应用程序上验证这作为OAuth客户端的资源服务器?
以下是我的其他代码:
internal static RSACryptoServiceProvider CreateResourceServerEncryptionServiceProvider()
{
var resourceServerEncryptionServiceProvider = new RSACryptoServiceProvider();
resourceServerEncryptionServiceProvider.ImportParameters(ResourceServerEncryptionPrivateKey);
return resourceServerEncryptionServiceProvider;
}
/// <summary>
/// Creates the crypto service provider for the authorization server that contains the public key used to verify an access token signature.
/// </summary>
/// <returns>An RSA crypto service provider.</returns>
internal static RSACryptoServiceProvider CreateAuthorizationServerSigningServiceProvider()
{
var authorizationServerSigningServiceProvider = new RSACryptoServiceProvider();
authorizationServerSigningServiceProvider.ImportParameters(AuthorizationServerSigningPublicKey);
return authorizationServerSigningServiceProvider;
}
public class RequireAuthorization : ActionFilterAttribute
{
public string Scope { get; set; }
public override void OnActionExecuting(ActionExecutingContext actionContext)
{
string[] scope = null;
if (!string.IsNullOrEmpty(Scope))
{
scope = Scope.Split(new[] { "," }, StringSplitOptions.RemoveEmptyEntries);
}
var query = actionContext.RequestContext.HttpContext.Request;
var req = actionContext.HttpContext;
var authvalue = query.Headers["Authorization"];
OAuthAuthorizationManager.VerifyOAuth2(query, query.Url.AbsoluteUri);
//var response = new HttpResponseMessageProperty()
//{
//here is my question.
//};
base.OnActionExecuting(actionContext);
//redirect page to
//if (CheckUrCondition)
//{
//actionContext.Result = new RedirectToRouteResult(new RouteValueDictionary(new
//{
// controller = "Home",
// action = "Index"
//}));
////}
}
提前致谢。
答案 0 :(得分:3)
我遇到了同样的问题,并提出了以下自定义Authorize属性,它对我有用。请注意,我的示例依赖于使用依赖注入注入的ResourceServer属性。当然,您也可以将它指向静态实例。
using System;
using System.Threading;
using System.Web;
using System.Web.Mvc;
using DotNetOpenAuth.Messaging;
using DotNetOpenAuth.OAuth2;
/// <summary>
/// Allows authorization to be applied to ASP.NET MVC methods where OAuth is used as the authorization mechanism.
/// </summary>
public class OAuthAuthorizeAttribute : AuthorizeAttribute
{
/// <summary>
/// Gets or sets the resource server that will be used to process the access token
/// that will be used to authorized.
/// </summary>
/// <value>
/// The resource server.
/// </value>
/// <remarks>
/// This property will most likely be set using dependency-injection.
/// </remarks>
public ResourceServer ResourceServer { get; set; }
/// <summary>
/// Gets or sets the scopes.
/// </summary>
/// <value>
/// The required scopes.
/// </value>
/// <remarks>
/// Multiple scopes can be used by separating them with spaces.
/// </remarks>
public string Scopes { get; set; }
/// <summary>
/// When overridden, provides an entry point for custom authorization checks.
/// </summary>
/// <param name="httpContext">The HTTP context, which encapsulates all HTTP-specific information about an individual HTTP request.</param>
/// <returns>
/// true if the user is authorized; otherwise, false.
/// </returns>
/// <exception cref="System.InvalidOperationException">Thrown when the <see cref="ResourceServer"/> property is <c>null</c>.</exception>
/// <exception cref="System.InvalidOperationException">Thrown when the <see cref="Scopes"/> property is <c>null</c>.</exception>
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (this.ResourceServer == null)
{
throw new InvalidOperationException("The ResourceServer property must not be null.");
}
try
{
this.StorePrincipalFromAccessToken(httpContext);
return this.AccessTokenIsAuthorizedForRequestedScopes();
}
catch (ProtocolException)
{
return false;
}
}
/// <summary>
/// Processes HTTP requests that fail authorization.
/// </summary>
/// <param name="filterContext">Encapsulates the information for using <see cref="T:System.Web.Mvc.AuthorizeAttribute" />. The <paramref name="filterContext" /> object contains the controller, HTTP context, request context, action result, and route data.</param>
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
filterContext.Result = new HttpUnauthorizedResult();
}
/// <summary>
/// Stores the principal contained in the current access token.
/// </summary>
/// <param name="httpContext">The HTTP context.</param>
protected virtual void StorePrincipalFromAccessToken(HttpContextBase httpContext)
{
httpContext.User = this.ResourceServer.GetPrincipal();
Thread.CurrentPrincipal = httpContext.User;
}
/// <summary>
/// Check if the access token provided is authorized for the requested scopes.
/// </summary>
/// <returns></returns>
protected virtual bool AccessTokenIsAuthorizedForRequestedScopes()
{
return OAuthUtilities.SplitScopes(this.Scopes ?? string.Empty).IsSubsetOf(this.ResourceServer.GetAccessToken().Scope);
}
}
您现在可以按如下方式使用此属性:
using System.Web.Mvc;
public class DemoController : Controller
{
[OAuthAuthorize(Scopes = "public")]
public ActionResult Index()
{
return this.View();
}
}