加密和解密FormsAuthenticationTicket以对用户进行身份验证

时间:2013-03-14 17:25:26

标签: asp.net asp.net-mvc asp.net-mvc-4 forms-authentication httpmodule

我正在尝试创建自己的身份验证机制,该机制依赖于FormsAuthentication。我基本上使用OAuth来允许用户在授权服务器中进行身份验证,一旦进行身份验证,我需要使用FormsAuthentication在整个会话中对它们进行身份验证。所以无论如何,我创建了一个HttpModule和一个帮助类来使这个工作。不幸的是,事实并非如此。

PostAuthenticateRequest上发生的情况是,我加密了故障单并在响应中添加了cookie,然后将用户重定向到网站的根目录。重新定向用户后,将发出另一个HTTP请求,以便再次触发HttpModule,并在AuthenticateRequest事件上检查此用户是否已通过身份验证。为了检查用户是否经过身份验证,我正在尝试读取cookie,从中获取用户名,然后设置Thread.CurrentPrincipal属性。但是,由于某种原因,无法找到cookie。

这是我的代码:

public class OAuthModule : IHttpModule
{
    private const String USERNAME = "username";

    public void Dispose()
    {
    }

    public void Init(HttpApplication context)
    {
        context.AuthenticateRequest += context_AuthenticateRequest;
        context.PostAuthenticateRequest += context_PostAuthenticateRequest;
    }

    void context_PostAuthenticateRequest(object sender, EventArgs e)
    {
        var application = sender as HttpApplication;
        if (application != null)
        {
            String username = application.Context.Items[USERNAME].ToString();
            String uri = RemoveQueryStringFromUri(application.Context.Request.Url.AbsoluteUri);
            var cookie = IdentityHelper.GetEncryptedFormsAuthenticationCookie(username, uri);
            application.Context.Response.Cookies.Add(cookie);

            application.Context.Response.Redirect(uri);
        }
    }

    void context_AuthenticateRequest(object sender, EventArgs e)
    {
        HttpApplication application = sender as HttpApplication;
        if (sender != null)
        {
            if (!application.Context.Request.Url.AbsolutePath.Contains("."))
            {
                if (!IdentityHelper.IsAuthenticated)
                {
                    HttpContextWrapper wrapper = new HttpContextWrapper(application.Context);
                    String clientId = WebConfigurationManager.AppSettings["ClientId"];
                    String clientSecret = WebConfigurationManager.AppSettings["ClientSecret"];
                    String authorizationServerAddress = WebConfigurationManager.AppSettings["AuthorizationServerAddress"];
                    var client = OAuthClientFactory.CreateWebServerClient(clientId, clientSecret, authorizationServerAddress);
                    if (String.IsNullOrEmpty(application.Context.Request.QueryString["code"]))
                    {
                        InitAuthentication(wrapper, client);
                    }
                    else
                    {
                        OnAuthCallback(wrapper, client);
                    }
                }
            }
        }
    }


    private void InitAuthentication(HttpContextWrapper context, WebServerClient client)
    {
        var state = new AuthorizationState();
        var uri = context.Request.Url.AbsoluteUri;
        uri = RemoveQueryStringFromUri(uri);
        state.Callback = new Uri(uri);
        var address = "https://localhost";
        state.Scope.Add(address);

        OutgoingWebResponse outgoingWebResponse =  client.PrepareRequestUserAuthorization(state);
        outgoingWebResponse.Respond(context);
    }

    private void OnAuthCallback(HttpContextWrapper context, WebServerClient client)
    {
        try
        {
            IAuthorizationState authorizationState = client.ProcessUserAuthorization(context.Request);
            AccessToken accessToken = AccessTokenSerializer.Deserialize(authorizationState.AccessToken);
            String username = accessToken.User;
            context.Items[USERNAME] = username;                
        }
        catch (ProtocolException e)
        {
            EventLog.WriteEntry("OAuth Client", e.InnerException.Message);
        }
    }

    private String RemoveQueryStringFromUri(String uri)
    {
        int index = uri.IndexOf('?');
        if (index > -1)
        {
            uri = uri.Substring(0, index);
        }
        return uri;
    }
}


public class IdentityHelper
{
    public static Boolean IsAuthenticated
    {
        get
        {
            String username = DecryptFormsAuthenticationCookie();
            if (!String.IsNullOrEmpty(username))
            {
                SetIdentity(username);
                return Thread.CurrentPrincipal.Identity.IsAuthenticated;
            }
            return false;
        }
    }

    private static String DecryptFormsAuthenticationCookie() 
    {
        var cookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
        if (cookie != null)
        {
            FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(cookie.Value);
            return ticket.UserData;
        }
        return String.Empty;
    }

    internal static HttpCookie GetEncryptedFormsAuthenticationCookie(String username, String domain)
    {
        var expires = DateTime.Now.AddMinutes(30);
        FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, username, DateTime.Now, expires, true, username, FormsAuthentication.FormsCookiePath);
        var cookie = new HttpCookie(FormsAuthentication.FormsCookieName);
        cookie.Value = FormsAuthentication.Encrypt(ticket);
        cookie.Domain = domain;
        cookie.Expires = expires;
        return cookie;
    }

    private static void SetIdentity(String username)
    {
        ClaimsIdentity claimsIdentity = new ClaimsIdentity(new List<Claim> { new Claim(ClaimTypes.Name, username) });
        var principal = new ClaimsPrincipal(claimsIdentity);
        Thread.CurrentPrincipal = principal;
    }
}

我哪里出错了?有什么想法吗?

1 个答案:

答案 0 :(得分:0)

好的,所以我终于解决了。它很简单如下:

application.Context.Response.Redirect(uri, false);

我需要告诉模块不要杀死当前的响应(因此false),这样它就会在即将到来的请求中保留cookie。