我有一个现有的授权服务器,该服务器使用OAuth2发行JWT令牌。我尚未创建使用Auth Server检索令牌并验证请求的新资源服务。在资源服务器中,我已将控制器标记为Authorize属性,而我遇到的问题是,即使在Startup.cs中指定了Auth Service Url,当我对Resource进行调用时,我仍然会收到401状态代码服务。问题是,对于在Auth Service上具有要在API调用上进行身份验证并检索令牌的用户帐户的第三方供应商,正确的方法是什么?他们是否应该首先调用Auth Service来获取令牌,然后再在Header中调用带有令牌的资源服务。请参见下面的代码:
Startup.cs
private void ConfigureOAuth(IAppBuilder app)
{
ISettings settings = new Settings();
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { "allowclientId" },
IssuerSecurityKeyProviders = new IIssuerSecurityKeyProvider[]
{
new SymmetricKeyIssuerSecurityKeyProvider("issuerUrl", TextEncodings.Base64Url.Decode("clientSecret"))
}
});
}
BusinessController.cs
[Authorize]
[Route("api/business")]
public class BusinessController
: ApiController
{
private readonly IBusinessService _businessService;
#region Ctor
public BusinessController(IBusinessService businessService)
{
_businessService = businessService;
}
#endregion
/// <summary>
/// Retrieve a list of businesses
/// </summary>
/// <returns>Response</returns>
[HttpGet]
public IHttpActionResult Get()
{
var response = _businessService.Get();
return Ok(response);
}