OAuth承载令牌无效

时间:2015-05-20 09:26:17

标签: c# asp.net-web-api oauth owin bearer-token

我有一个auth-provider的最小设置,它设置了claim-identity 

public class SimpleAuthorizationProvider : OAuthAuthorizationServerProvider
{
    public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
    {
        context.Validated();
    }

    public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
    {
        if (context.UserName != context.Password)
        {
            context.SetError("invalid_grant", "The user name or password is incorrect.");
            return;
        }

        var identity = new ClaimsIdentity(context.Options.AuthenticationType);
        identity.AddClaim(new Claim("sub", context.UserName));
        identity.AddClaim(new Claim("role", "user"));

        context.Validated(identity);
    }
}

我正在尝试访问hello-world-api,这会导致未经授权的访问错误。

public class HelloWorldApiController : ApiController
{

    [HttpGet]
    [Route("api/hello")]
    //[AllowAnonymous]
    [Authorize]
    public HttpResponseMessage FetchAllEnum()
    {
        return Request.CreateResponse(HttpStatusCode.OK, "Hello World!!!");
    }
}

但我获得了上述API的401 /未经授权的访问权限。我确实将持有者令牌返回到web-api,我也将其作为Bearer ABCD****传递给服务器。我确实看到在Visual Studio中调试时设置了授权标头。

如果我调试AuthorizeAttribute,我的user.Identity.IsAuthenticatedfalse,这实际上是导致问题的原因。 但鉴于我确实看到了授权标头集并且我在OAuthProvider中设置了声明详细信息,为什么AuthorizeAttribute没有读取该信息呢?

注意:这是一个Web API项目,因此没有对MVC AuthorizeAttribute的引用。

这是OWIN设置:

public static class WebApiConfig
{
    public static HttpConfiguration Register()
    {
        var config = new HttpConfiguration();
        config.MapHttpAttributeRoutes();
        //config.SuppressDefaultHostAuthentication(); //tried with/without this line
        config.Filters.Add(new AuthorizeAttribute());
        config.EnableCors(new EnableCorsAttribute("*", "*", "*", "*"));
        return config;
    }
}

public class OwinConfiguration
{
    // ReSharper disable once UnusedMember.Local
    public void Configuration(IAppBuilder app)
    {
        ConfigureOAuth(app);
        app.UseCors(CorsOptions.AllowAll);
        app.UseWebApi(WebApiConfig.Register());
    }

    private void ConfigureOAuth(IAppBuilder app)
    {
        var options = new OAuthAuthorizationServerOptions
        {
            AllowInsecureHttp = true,
            TokenEndpointPath = new PathString("/token"),
            AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(60),
            Provider = new SimpleAuthorizationProvider()
        };

        app.UseOAuthAuthorizationServer(options);
        app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
    }
}

2 个答案:

答案 0 :(得分:5)

使其工作config.Filters.Add(new HostAuthenticationAttribute("bearer"));需要添加此行beofre authorize属性... 

public static HttpConfiguration Register()
{
    var config = new HttpConfiguration();
    config.MapHttpAttributeRoutes();

    config.Filters.Add(new HostAuthenticationAttribute("bearer")); //added this
    config.Filters.Add(new AuthorizeAttribute());
    config.EnableCors(new EnableCorsAttribute("*", "*", "*", "*"));
    return config;
}

答案 1 :(得分:1)

另一个可行的解决方案是不使用HostAuthenticationAttribute,而是将OWIN过滤器设置为Active过滤器,如下所示:

var bearerOptions = new OAuthBearerAuthenticationOptions
{
    AccessTokenFormat = new JwtFormat(validationParameters),
    AuthenticationMode = AuthenticationMode.Active,
};
相关问题
最新问题