Asp.net web api 使用OWIN和IIS主机在Web Api操作方法中生成访问令牌
我正在尝试基于以下代码在Web Api操作方法中生成令牌:Asp.net web api 使用OWIN和IIS主机在Web Api操作方法中生成访问令牌,asp.net-web-api,oauth-2.0,asp.net-web-api2,access-token,Asp.net Web Api,Oauth 2.0,Asp.net Web Api2,Access Token,我正在尝试基于以下代码在Web Api操作方法中生成令牌: private JObject GeneratePaymentTokenResponse(string email, bool rememberMe) { //var tokenExpiration = rememberMe ? TimeSpan.FromDays(14) : TimeSpan.FromMinutes(30); var tokenExpiration = rememberMe ?
private JObject GeneratePaymentTokenResponse(string email, bool rememberMe)
{
//var tokenExpiration = rememberMe ? TimeSpan.FromDays(14) : TimeSpan.FromMinutes(30);
var tokenExpiration = rememberMe ? TimeSpan.FromMinutes(30) : TimeSpan.FromMinutes(5);
ClaimsIdentity identity = new ClaimsIdentity("CustomType", ClaimTypes.Email, ClaimTypes.Role);
identity.AddClaim(new Claim(ClaimTypes.Email, email));
var props = new AuthenticationProperties()
{
IssuedUtc = DateTime.UtcNow,
ExpiresUtc = DateTime.UtcNow.Add(tokenExpiration)
};
var ticket = new AuthenticationTicket(identity, props);
var accessToken = Startup.OAuthBearerOptions.AccessTokenFormat.Protect(ticket);
JObject tokenResponse = new JObject(
new JProperty("email", email),
new JProperty("customToken", accessToken),
new JProperty("expiresIn", tokenExpiration.TotalSeconds),
new JProperty("issuedUtc", ticket.Properties.IssuedUtc),
new JProperty("expiresUtc", ticket.Properties.ExpiresUtc)
);
return tokenResponse;
}
OAuthBearOptions
对象来自Startup类,如下所示:
public static OAuthBearerAuthenticationOptions OAuthBearerOptions { get; private set; }
OAuthBearerOptions = new OAuthBearerAuthenticationOptions();
// Token Consumption (Resource Server)
app.UseOAuthBearerAuthentication(OAuthBearerOptions);
现在,当我尝试传递一个有效的访问令牌但已过期时,调用AccessTokenFormat.Unprotect
,如下代码所示
Microsoft.Owin.Security.AuthenticationTicket ticket = Startup.OAuthBearerOptions.AccessTokenFormat.Unprotect(paymentToken);
if ((ticket == null) || (!ticket.Identity.IsAuthenticated))
{
actionContext.Response = CreateForbiddenResponse(actionContext);
return Task.FromResult<object>(null);
}
Microsoft.Owin.Security.AuthenticationTicket ticket=Startup.OAuthBeareOptions.AccessTokenFormat.Unprotect(paymentToken);
if((ticket==null)| |(!ticket.Identity.IsAuthenticated))
{
actionContext.Response=createBankedenResponse(actionContext);
返回Task.FromResult(空);
}
我收到一张有效的票证,ticket.Identity.IsAuthenticated
的值为true即使该令牌已过期
目前我使用的是Microsoft.Owin.Security的最新版本(3.0.1)
如果您能告诉我如何设置此代币的有效期,我将不胜感激
我收到一张有效的票证,即使令牌已过期,票证.Identity.IsAuthenticated的值也为true
这完全是故意的:Unprotect
将返回具有有效ClaimsIdentity
的票证,即使该票证已过期。由于ClaimsIdentity.IsAuthenticated
仅确保ClaimsIdentity.AuthenticationType
属性不为null,因此它不是确保票据未过期的可靠方法
实际上,由您确定票据是否仍然有效,并在必要时返回错误(这正是承载中间件在接收访问令牌时在内部所做的:)
if(ticket.Properties.ExpiresUtc.HasValue&&
ticket.Properties.ExpiresUtc.Value
if (ticket.Properties.ExpiresUtc.HasValue &&
ticket.Properties.ExpiresUtc.Value < DateTimeOffset.Now)
{
return Task.FromResult<object>(null);
}