自定义OAuth2服务器返回401 - Unathorized

时间:2015-07-16 08:13:16

标签: c#-4.0 asp.net-web-api oauth-2.0 owin

我正在尝试使用支持资源所有者密码凭据流的自定义OAuth2授权服务器。授权服务器是IIS7.5中托管的WebAPI应用程序。

我已经配置了启动类,我注册了自定义OAuthServerProvider(AtcAuthorizationServerProvider)。

[assembly: OwinStartup(typeof(ATC.WebApi.AuthorizationServer.Startup))]

namespace ATC.WebApi.AuthorizationServer
{
    public class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            ConfigureOAuth(app);

            HttpConfiguration config = new HttpConfiguration();
            WebApiConfig.Register(config);
            app.UseWebApi(config);

            app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
        }

        public void ConfigureOAuth(IAppBuilder app)
        {
            OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
            {
                AllowInsecureHttp = true,
                TokenEndpointPath = new PathString("/token"),
                AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(30),
                Provider = new AtcAuthorizationServerProvider(),
                RefreshTokenProvider = new AtcRefreshTokenProvider(),
                AuthenticationMode = AuthenticationMode.Passive
            };

            // Token Generation
            app.UseOAuthAuthorizationServer(OAuthServerOptions);
            app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions(){});
        }
    }
}

在我的自定义提供程序类中,我重写了ValidateClientAuthentication()函数,我接受两种客户端凭据接收方式(在Body和Authorization标头中)。

public class AtcAuthorizationServerProvider : OAuthAuthorizationServerProvider
    {
        public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
        {
            string clientId = string.Empty;
            string clientSecret = string.Empty;

            // get client credentials from header or from body
            if (!context.TryGetBasicCredentials(out clientId, out clientSecret))
            {
                context.TryGetFormCredentials(out clientId, out clientSecret);
            }
//rest of code

当我在body中发送client_id和client_secret时,一切正常。

POST /ATC.WebApi.AuthorizationServer/token HTTP/1.1
Host: localhost
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache

grant_type=password&password=123456&username=myUser&client_id=myClient&client_secret=123%40abc

我成功获得了访问令牌。

{
  "access_token": "3Fk_Ps10i45uL0zeCzIpvEh2WHKE8iJVNtKJ2XGWcQWXsT9jllKf...",
  "token_type": "bearer",
  "expires_in": 1799,
  "refresh_token": "4c1097d17dd14df5ac1c5842e089a88e",
  "as:client_id": "myClient"
}

但是,如果我使用在Authorization标头中传递client_id和client_secret的DotNetOpenAuth.OAuth2.WebServerClient,我将收到 401.1 - 未经授权的 HTTP响应。我发现不会触发ValidateClientAuthentication()。

请求比看起来像这样:

POST /ATC.WebApi.AuthorizationServer/token HTTP/1.1
Host: localhost
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Basic C16b34lUjEyM0BhYmM=
Cache-Control: no-cache

grant_type=password&password=123456&username=myUser

问题是如何说服OWIN中间件在这种情况下解雇我的自定义提供程序?

1 个答案:

答案 0 :(得分:0)

嗯,我终于找到了麻烦的地方。我的IIS中允许进行基本身份验证,因此IIS收到请求并尝试验证用户失败并且IIS立即返回401 Unauthorized。所以我的OWIN中间件甚至没有收到处理请求。

相关问题
最新问题