Question

有没有办法在asp.net中手动获取Bearer Token字符串并将其转换为Identity对象？

干杯，阿兹

Answer 1

这是一个非常老的问题，但我认为答案仍然缺失。我可以通过使用以下行来重新生成Principal

var ticket = Startup.OAuthOptions.AccessTokenFormat.Unprotect(accessToken);
var identity = ticket.Identity;

Answer 2

令牌仅包含声明，它仅用于对资源进行身份验证。如果其中一个声明持有用户信息，您可以创建一个身份并将声明分配给它。

public void ValidateBearerToken(OwinContext context)
{
    try
    {
       var tokenHandler = new JwtSecurityTokenHandler();
       byte[] securityKey = GetBytes("some key"); //this should come from a config file

       SecurityToken securityToken;

       var validationParameters = new TokenValidationParameters()
       {
          ValidAudience = "http://localhost:2000", 
          IssuerSigningToken = new BinarySecretSecurityToken(securityKey),
          ValidIssuer = "Self"
       };

       var auth = context.Request.Headers["Authorization"];

       if (!string.IsNullOrWhiteSpace(auth) && auth.Contains("Bearer"))
       {
          var token = auth.Split(' ')[1];

          var principal = tokenHandler.ValidateToken(token, validationParameters, out securityToken);

          context.Request.User = principal;
       }
   }
   catch (Exception ex)
   {
       var message = ex.Message;
   }
}

Answer 3

首先，您需要根据令牌创建一些声明，然后创建ClaimsIdentity并使用它来授权用户。

public ActionResoult Login(string token)
{
    if(_tokenManager.IsValid(token))         
    {
        // optionally you have own user manager which returns roles and user name from token
        // no matter how you store users and roles
        var user=_myUserManager.GetUserRoles(token);

        // user is valid, going to authenticate user for my App
        var ident = new ClaimsIdentity(
            new[] 
            {  
                // adding following 2 claim just for supporting default antiforgery provider
                new Claim(ClaimTypes.NameIdentifier, token),
                new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "ASP.NET Identity", "http://www.w3.org/2001/XMLSchema#string"),

                // an optional claim you could omit this 
                new Claim(ClaimTypes.Name, user.Username),

                // populate assigned user's role form your DB 
                // and add each one as a claim  
                new Claim(ClaimTypes.Role, user.Roles[0]),
                new Claim(ClaimTypes.Role, user.Roles[1]),
                // and so on
            },
            DefaultAuthenticationTypes.ApplicationCookie);

        // Identity is sign in user based on claim don't matter 
        // how you generated it             
        HttpContext.GetOwinContext().Authentication.SignIn(
            new AuthenticationProperties { IsPersistent = false }, ident);

        // auth is succeed, just from a token
        return RedirectToAction("MyAction"); 
    }
    // invalid user        
    ModelState.AddModelError("", "We could not authorize you :(");
    return View();
}

现在您也可以使用Authorize过滤器：

[Authorize]
public ActionResult Foo()
{
}

// since we injected user roles to Identity we could do this as well
[Authorize(Roles="admin")]
public ActionResult Foo()
{
    // since we injected our authentication mechanism to Identity pipeline 
    // we have access current user principal by calling also
    // HttpContext.User
}

另外，我鼓励你从我的github repo中查看Token Based Authentication Sample作为一个非常简单的工作示例。

从承载令牌生成身份

3 个答案: