在为ASP.NET Identity 2.0连接OAUTH时如何从数据库中提取用户角色?

时间:2019-01-14 19:24:17

标签: c# asp.net asp.net-identity asp.net-roles

我正在使用某些Web API,并且承担了使用ASP.NET Identity 2.0向某些端点添加基于角色的授权的任务。

我已经创建了一个用于管理用户和角色的基于API的管理结构,并且在尝试使用OAUTH Bearer令牌实现授权/身份验证时遇到了难题。

(注意,我读到JWT更好用,并且使提供用户数据更简单,但要求使用普通OAUTH)

至此,我到目前为止所掌握的代码,包括症结所在:

Startup.cs:

private static void ConfigureOAuthTokenGeneration(IAppBuilder app)
{
    // Configure the db context, user manager and role manager to use a single instance per request
    app.CreatePerOwinContext(ApplicationDbContext.Create);
    app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
    app.CreatePerOwinContext<ApplicationRoleManager>(ApplicationRoleManager.Create);

    // Create the options for the token authorization
    var oauthAuthorizationServerOptions = new OAuthAuthorizationServerOptions
    {
        AllowInsecureHttp = true,
        TokenEndpointPath = new PathString("/token"),
        AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(1),
        Provider = new SimpleAuthorizationServerProvider()
    };

    // Token Generation
    app.UseOAuthAuthorizationServer(oauthAuthorizationServerOptions);
    app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
}

SimpleAuthorizationServerProvider.cs:

public sealed class SimpleAuthorizationServerProvider : OAuthAuthorizationServerProvider
{
    public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
    {
        // We are not validating clients at this point, simply "resource owners" i.e. user / pass combos
        context.Validated();
    }

    public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
    {
        using (var repo = new AuthorizationRepository())
        {
            var user = repo.FindUser(context.UserName, context.Password);

            if (user == null)
            {
                context.SetError("invalid_grant", "The user name or password is incorrect.");

                return;
            }
        }

        // How do you pull the user data (including roles) from the database here, and place into a claim for API consumption??
    }
}

以下是我在网上找到的内容,但这只会为用户创建一个默认角色(或角色列表):

var identity = new ClaimsIdentity(context.Options.AuthenticationType);

identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
identity.AddClaim(new Claim(ClaimTypes.Role, "admin"));
identity.AddClaim(new Claim("sub", context.UserName));

context.Validated(identity);

上面的代码是一个问题,因为它将验证用户,然后在生成的令牌中为每个用户分配admin角色!

任何帮助将不胜感激,谢谢您的帮助!

1 个答案:

答案 0 :(得分:1)

问题是您没有从ApplicationUserManager提出索赔,这可能会给您带来很多负担。此外,您只是在设置通用的ClaimsIdentity,正如您已经指出的那样,它将始终为所有用户返回相同的角色集。

GrantResourceOwnerCredentials()中,您想要做的是:

//
// Get an instance of the ApplicationUserManager that you've already registered
// with OWIN
//
var mgr = context.OwinContext.GetUserManager<ApplicationUserManager>();

//
// Have the ApplicationUserManager build your ClaimsIdentity instead
//
var identity = await mgr.CreateIdentityAsync(user, 
                                             context.Options.AuthenticationType);

//
// Then here, you could add other application-specific claims if you wanted to.