我已经将Web API c#应用程序与Swagger集成在一起。我已经实现了AAD身份验证,可以正常工作。现在,我想添加Google身份验证。我已经完成了如下代码。
SwaggerConfig.cs
c.OAuth2("oauth2")
.Description("Google Auth")
.Flow("implicit")
.AuthorizationUrl($"https://accounts.google.com/o/oauth2/v2/auth")
.Scopes(scopes => scopes.Add("openid", "Sign you in permission"));
Startup.cs
app.UseExternalSignInCookie(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ExternalCookie);
googleAuthOptions = new GoogleOAuth2AuthenticationOptions()
{
ClientId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com",
ClientSecret = "xxxxxxxxxxxxxxxxxxxx",
};
app.UseGoogleAuthentication(googleAuthOptions);
我从google登录屏幕获得了授权,并成功重定向回了用户界面。但是,当我尝试访问任何方法时,即使有承载令牌,也会出现401未经授权的错误。
After authenticating with google
我知道我还没有足够的知识,所以还没有在Startup.cs文件中验证访问令牌。我已经阅读了几篇关于复杂实现的文章,但我想以最简单的方式实现。以下代码适用于AAD,无需进行任何进一步的代码验证。
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new Microsoft.Owin.Security.ActiveDirectory.WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = Settings.AzureADTenant,
TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
ValidAudiences = new string[] { Settings.AzureADAudience, Settings.AzureAppURI },
ValidIssuers = new string[] {
$"https://sts.windows.net/{Settings.AzureADTenant}/",
$"https://login.microsoftonline.com/{Settings.AzureADTenant}/v2.0"
}
}
});
答案 0 :(得分:0)
您获得的令牌是访问令牌,问题是 swagger 默认使用 response_type 参数作为令牌而不是令牌 id_token 发出令牌请求。
您可以按照以下步骤从 swagger 使用 google 进行身份验证:
在你的wwwroot文件夹(如果没有,可以自己创建),创建一个JS文件,内容如下
window.swaggerUiAuth = window.swaggerUiAuth || {};
window.swaggerUiAuth.tokenName = 'id_token';
if (!window.isOpenReplaced) {
window.open = function (open) {
return function (url) {
url = url.replace('response_type=token', 'response_type=token id_token');
return open.call(window, url);
};
}(window.open);
window.isOpenReplaced = true;
}
完成后,在您的 Configure 方法中添加以下内容:
app.UseSwaggerUI(c =>
{
//your additional stuff...
c.OAuthAdditionalQueryStringParams(new Dictionary<string, string> {{ "nonce", "anyNonceStringHere" }});
c.OAuthClientId(this.oauth2Config.ClientId);
c.InjectJavascript("YourJustCreatedJSFileName.js");
});
现在在您的 AddSwaggerGen 构建器中,添加安全定义和安全要求。 (您可以将其拆分为多个方法,以使其更简洁)。
//in your ConfigureServices
services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new OpenApiInfo { Title = "wellship_svc_app", Version = "v1" });
this.AddSwaggerOAuth2Configuration(c);
});
在您的启动类中创建此私有方法。请注意使用 id_token 而不是访问令牌的安全方案中的 extensions 属性。
private void AddSwaggerOAuth2Configuration(SwaggerGenOptions swaggerGenOptions)
{
var securityScheme = new OpenApiSecurityScheme
{
Name = "Authorization",
In = ParameterLocation.Header,
Type = SecuritySchemeType.OAuth2,
Flows = new OpenApiOAuthFlows()
{
Implicit = new OpenApiOAuthFlow()
{
AuthorizationUrl = new Uri("https://accounts.google.com/o/oauth2/v2/auth"),
Scopes = new Dictionary<string, string> {{"email", "email"}, {"profile", "profile"}}
}
},
Extensions = new Dictionary<string, IOpenApiExtension>
{
{"x-tokenName", new OpenApiString("id_token")}
},
};
swaggerGenOptions.AddSecurityDefinition("Bearer", securityScheme) ;
var securityRequirements = new OpenApiSecurityRequirement
{
{
new OpenApiSecurityScheme
{
Reference = new OpenApiReference
{
Type = ReferenceType.SecurityScheme,
Id = "Bearer"
}
},
new List<string> {"email", "profile"}
}
};
swaggerGenOptions.AddSecurityRequirement(securityRequirements);
}
public class GoogleTokenValidator : ISecurityTokenValidator
{
private readonly JwtSecurityTokenHandler _tokenHandler;
public GoogleTokenValidator()
{
_tokenHandler = new JwtSecurityTokenHandler();
}
public bool CanValidateToken => true;
public int MaximumTokenSizeInBytes { get; set; } = TokenValidationParameters.DefaultMaximumTokenSizeInBytes;
public bool CanReadToken(string securityToken)
{
return _tokenHandler.CanReadToken(securityToken);
}
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
validatedToken = null;
var payload = GoogleJsonWebSignature.ValidateAsync(securityToken, new GoogleJsonWebSignature.ValidationSettings()).Result;
var claims = new List<Claim>
{
new(ClaimTypes.NameIdentifier, payload.Name),
new (ClaimTypes.Name, payload.Name),
new (JwtRegisteredClaimNames.FamilyName, payload.FamilyName),
new (JwtRegisteredClaimNames.GivenName, payload.GivenName),
new (JwtRegisteredClaimNames.Email, payload.Email),
new (JwtRegisteredClaimNames.Sub, payload.Subject),
new (JwtRegisteredClaimNames.Iss, payload.Issuer)
};
try
{
var principle = new ClaimsPrincipal();
principle.AddIdentity(new ClaimsIdentity(claims, JwtBearerDefaults.AuthenticationScheme));
return principle;
}
catch (Exception e)
{
Console.WriteLine(e);
throw;
}
}
}
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(o =>
{
o.IncludeErrorDetails = true;
o.SecurityTokenValidators.Clear();
o.SecurityTokenValidators.Add(new GoogleTokenValidator());
});