Fatal编程技术网
  • asp.net-web-api/
  • Asp.net web api 使用OWIN和IIS主机在Web Api操作方法中生成访问令牌

Asp.net web api 使用OWIN和IIS主机在Web Api操作方法中生成访问令牌

asp.net-web-api oauth-2.0

Asp.net web api 使用OWIN和IIS主机在Web Api操作方法中生成访问令牌,asp.net-web-api,oauth-2.0,asp.net-web-api2,access-token,Asp.net Web Api,Oauth 2.0,Asp.net Web Api2,Access Token,我正在尝试基于以下代码在Web Api操作方法中生成令牌: private JObject GeneratePaymentTokenResponse(string email, bool rememberMe) { //var tokenExpiration = rememberMe ? TimeSpan.FromDays(14) : TimeSpan.FromMinutes(30); var tokenExpiration = rememberMe ?

我正在尝试基于以下代码在Web Api操作方法中生成令牌:

private JObject GeneratePaymentTokenResponse(string email, bool rememberMe)
    {
        //var tokenExpiration = rememberMe ? TimeSpan.FromDays(14) : TimeSpan.FromMinutes(30);

        var tokenExpiration = rememberMe ? TimeSpan.FromMinutes(30) : TimeSpan.FromMinutes(5);

        ClaimsIdentity identity = new ClaimsIdentity("CustomType", ClaimTypes.Email, ClaimTypes.Role);

        identity.AddClaim(new Claim(ClaimTypes.Email, email));

        var props = new AuthenticationProperties()
        {
            IssuedUtc = DateTime.UtcNow,
            ExpiresUtc = DateTime.UtcNow.Add(tokenExpiration)
        };

        var ticket = new AuthenticationTicket(identity, props);

        var accessToken = Startup.OAuthBearerOptions.AccessTokenFormat.Protect(ticket);

        JObject tokenResponse = new JObject(
                                    new JProperty("email", email),
                                    new JProperty("customToken", accessToken),
                                    new JProperty("expiresIn", tokenExpiration.TotalSeconds),
                                    new JProperty("issuedUtc", ticket.Properties.IssuedUtc),
                                    new JProperty("expiresUtc", ticket.Properties.ExpiresUtc)
    );

        return tokenResponse;
    }

OAuthBearOptions
对象来自Startup类,如下所示:

public static OAuthBearerAuthenticationOptions OAuthBearerOptions { get; private set; }

OAuthBearerOptions = new OAuthBearerAuthenticationOptions();
// Token Consumption (Resource Server)
app.UseOAuthBearerAuthentication(OAuthBearerOptions);
现在,当我尝试传递一个有效的访问令牌但已过期时,调用
AccessTokenFormat.Unprotect
,如下代码所示

 Microsoft.Owin.Security.AuthenticationTicket ticket = Startup.OAuthBearerOptions.AccessTokenFormat.Unprotect(paymentToken);

        if ((ticket == null) || (!ticket.Identity.IsAuthenticated))
        {
            actionContext.Response = CreateForbiddenResponse(actionContext);
            return Task.FromResult<object>(null);
        }

Microsoft.Owin.Security.AuthenticationTicket ticket=Startup.OAuthBeareOptions.AccessTokenFormat.Unprotect(paymentToken);
if((ticket==null)| |(!ticket.Identity.IsAuthenticated))
{
actionContext.Response=createBankedenResponse(actionContext);
返回Task.FromResult(空);
}
我收到一张有效的票证,
ticket.Identity.IsAuthenticated
的值为true即使该令牌已过期

目前我使用的是Microsoft.Owin.Security的最新版本(3.0.1)

如果您能告诉我如何设置此代币的有效期,我将不胜感激

我收到一张有效的票证,即使令牌已过期,票证.Identity.IsAuthenticated的值也为true

这完全是故意的:
Unprotect
将返回具有有效
ClaimsIdentity
的票证,即使该票证已过期。由于
ClaimsIdentity.IsAuthenticated
仅确保
ClaimsIdentity.AuthenticationType
属性不为null,因此它不是确保票据未过期的可靠方法

实际上,由您确定票据是否仍然有效,并在必要时返回错误(这正是承载中间件在接收访问令牌时在内部所做的:)

if(ticket.Properties.ExpiresUtc.HasValue&&
ticket.Properties.ExpiresUtc.Value
if (ticket.Properties.ExpiresUtc.HasValue &&
    ticket.Properties.ExpiresUtc.Value < DateTimeOffset.Now)
{
    return Task.FromResult<object>(null);
}