我创建了一个包含MVC5和WebAPI的新Web应用程序。现在我添加了一个新的API-Controller并添加了Authorize-Atribute(System.Web.Http)。 Authorizatin工作正常,返回值。但是,当授权失败时,将返回登录页面和状态200。但是我需要在这种情况下返回错误和状态401。
我尝试过,当我删除app.UseCookieAuthentication时,会返回正确的状态 - 但我需要使用cookie身份验证才能在正常的MVC部分启用身份验证。
当然,我可以覆盖Authorization属性来抑制this solution中建议的表单重定向,但我想这不是正确的方法,因为存在2个authorizeattributes和很多配置内容。
我的启动身份验证:
public void ConfigureAuth(IAppBuilder app)
{
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager,
ApplicationUser>(TimeSpan.FromMinutes(30),
(manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
app.UseOAuthBearerTokens( new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/api/Account/Token"),
Provider = new SimpleAuthorizationServerProvider(),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
AllowInsecureHttp = true,
});
}
我的oauth提供者:
public class SimpleAuthorizationServerProvider : OAuthAuthorizationServerProvider
{
public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
// Resource owner password credentials does not provide a client ID.
if (context.ClientId == null)
{
context.Validated();
}
return Task.FromResult<object>(null);
}
public override Task ValidateClientRedirectUri(OAuthValidateClientRedirectUriContext context)
{
if (context.ClientId == "self")
{
Uri expectedRootUri = new Uri(context.Request.Uri, "/");
if (expectedRootUri.AbsoluteUri == context.RedirectUri)
{
context.Validated();
}
}
return Task.FromResult<object>(null);
}
public override Task TokenEndpoint(OAuthTokenEndpointContext context)
{
foreach (KeyValuePair<string, string> property in context.Properties.Dictionary)
{
context.AdditionalResponseParameters.Add(property.Key, property.Value);
}
return Task.FromResult<object>(null);
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();
var info = await userManager.FindAsync(context.UserName, context.Password);
if (info == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
var oAuthIdentity = await userManager.CreateIdentityAsync(info, context.Options.AuthenticationType);
var cookiesIdentity = await userManager.CreateIdentityAsync(info, CookieAuthenticationDefaults.AuthenticationType);
var properties = new AuthenticationProperties(new Dictionary<string, string> {
{ "userName", info.UserName }
});
var ticket = new AuthenticationTicket(oAuthIdentity, properties);
context.Validated(ticket);
context.Request.Context.Authentication.SignIn(cookiesIdentity);
}
}
答案 0 :(得分:0)
您可以覆盖302 Response:
var c = new CookieAuthenticationOptions;
// Make ASP.NET give us the 302 redirect when cookie is missing/broke
c.AutomaticChallenge = true;
c.Events = new CookieAuthenticationEvents
{
// Override the 302 redirection with the 401 we actually want
OnRedirectToLogin = context =>
{
context.Response.StatusCode = 401;
return Task.FromResult(0); ;
}
};
这是一个令人不快的黑客行为,它有效,但是I'd love to know a better way of making the built in authentication middleware work as expected。