如何在自定义“ AuthenticationHandler”中的“ HandleAuthenticateAsync”和“ HandleChallengeAsync”之间传递对象?

时间:2019-07-10 00:20:26

标签: authentication asp.net-web-api

我无法确定将对象从我的自定义身份验证代码所在的HandleAuthenticateAsync传递到HandleChallengeAsync回调的正确方法,在回调中我处理身份验证失败并设置响应状态代码和身体。

如果身份验证失败,我想返回一个JSON对象,该对象在响应主体中包含有关身份验证失败原因的一些信息。

在我的处理程序代码中,我想使用results方法对HandleChallengeAsync中的某些值进行序列化:

public class ApiKeyAuthenticationHandler : AuthenticationHandler<ApiKeyAuthenticationOptions>
{
    public const string ApiKeyHeaderName = "X-API-KEY";

    public ApiKeyAuthenticationHandler(IOptionsMonitor<ApiKeyAuthenticationOptions> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock) : base(options, logger, encoder, clock) { }

    // The authentication handler that gets call for every request (including `[AllowAnonymous]`
    protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
    {
        Request.Headers.TryGetValue(Options.ApiKeyHeaderName, out var apiKeyHeaderValues);
        var key = apiKeyHeaderValues.FirstOrDefault();

        var results = await new AuthenticateApiKeyQuery(key).Results();

        if (results.HasErrors())
            return AuthenticateResult.Fail("Useless message that doesn't go anywhere");

        return Success(results.Value);
    }

    // the callback that gets called for any `[Authorize]` actions
    override protected async Task HandleChallengeAsync(AuthenticationProperties properties)
    {
        var errors = new { }; // I want `errors` to come from the `result` object above
        Context.Response.StatusCode = 401;
        Context.Response.ContentType = "application/json";
        var json = Newtonsoft.Json.JsonConvert.SerializeObject(errors);
        await Context.Response.Body.WriteAsync(System.Text.Encoding.UTF8.GetBytes(json));
    }

    // Method that sent up the identity/claim etc
    private AuthenticateResult Success(ApiKey apiKey)
    {
        var claims = new List<Claim>()
        {
            new Claim(ClaimTypes.NameIdentifier, apiKey.ID.ToString()),
            new Claim(ClaimTypes.Name, apiKey.Description),
        };

        var identity = new ClaimsIdentity(claims, Options.AuthenticationType);
        var identities = new List<ClaimsIdentity> { identity };
        var principal = new ClaimsPrincipal(identities);
        var ticket = new AuthenticationTicket(principal, Options.AuthenticationScheme);

        return AuthenticateResult.Success(ticket);
    }

我的最初尝试是使用HandleAuthenticateAsync方法设置401和响应正文。这不起作用,因为还对标记为[AllowAnonymous]的操作运行身份验证处理程序。结果是响应将是401,是序列化的JSON,而不是操作设置的状态和响应。而HandleChallengeAsync仅在身份验证失败且该操作需要授权时才调用。

这不是最容易浏览的代码,但是据我所知,PolicyEvalulator调用AuthenticationHandler,然后调用我的自定义HandleAuthenticateAsync。然后,我返回的AuthenticateResultPolicyEvalulator吞没了,所以我不能用它保存任何值以供以后处理。我还没有弄清楚所谓的自定义HandleChallengeAsync,但是到现在为止AuthenticateResult已经被吞没了。

1 个答案:

答案 0 :(得分:0)

我遇到了类似的问题,身份验证处理程序是瞬态作用域的,您可以在“自定义处理程序”类中声明一个对象类型属性,该属性将在HandleChallengeAsync方法中可用。

相关问题
最新问题