Asp.net 在WebAPI中将刷新令牌与Facebook/Google相结合
我已经按照本教程在webapi中实现了外部登录提供程序: 我还想在这个解决方案中包含刷新令牌。我成功地按照本文在常规登录场景中做到了这一点- 不幸的是,我不知道如何为外部登录做到这一点。我已经研究了OWIN的实现,并尝试了下面的代码。它生成令牌,但序列化票证时遇到问题(当我试图根据以这种方式生成的刷新令牌请求生成新的访问令牌时,票证无法解除保护)Asp.net 在WebAPI中将刷新令牌与Facebook/Google相结合,asp.net,asp.net-web-api2,owin,access-token,Asp.net,Asp.net Web Api2,Owin,Access Token,我已经按照本教程在webapi中实现了外部登录提供程序: 我还想在这个解决方案中包含刷新令牌。我成功地按照本文在常规登录场景中做到了这一点- 不幸的是,我不知道如何为外部登录做到这一点。我已经研究了OWIN的实现,并尝试了下面的代码。它生成令牌,但序列化票证时遇到问题(当我试图根据以这种方式生成的刷新令牌请求生成新的访问令牌时,票证无法解除保护) 专用异步任务GenerateLocalAccessTokenResponse(字符串用户ID) { var tokenExpiration=Time
专用异步任务GenerateLocalAccessTokenResponse(字符串用户ID)
{
var tokenExpiration=TimeSpan.FromDays(1);
ClaimsIdentity identity=新的ClaimsIdentity(OAuthDefaults.AuthenticationType);
var user=await GetUser(userId);
identity.AddClaim(新声明(ClaimTypes.Name,user.UserName));
identity.AddClaim(新声明(“角色”、“用户”));
AddClaim(新的声明(ClaimTypes.NameIdentifier,user.Id));
var props=新的AuthenticationProperties()
{
IssuedUtc=DateTime.UtcNow,
ExpiresUtc=DateTime.UtcNow.Add(令牌到期),
};
var票证=新的身份验证票证(身份、道具);
var accessToken=Startup.oauthBeareOptions.AccessTokenFormat.Protect(票证);
//这是我补充的
var context=Request.GetOwinContext();
//这里我使用了一个DataProtectionProvider,它是我在启动时用app.GetDataProtectionProvider()生成的,我将它作为一个静态对象保存
var secureDataFormat=新的TicketDataFormat(Helpers.Providers.DataProtectionProvider.Create(
typeof(OAuthAuthorizationServerMiddleware).Namespace,“刷新令牌”,“v1”,“ASP.NET标识”);
var createContext=新的AuthenticationTokenCreateContext(上下文、secureDataFormat、票证);
等待启动。OAuthServerOptions.RefreshTokenProvider.CreateAncial(createContext);
JObject tokenResponse=新JObject(
新的JProperty(“用户名”,user.userName),
新的JProperty(“访问令牌”,accessToken),
新产权(“令牌类型”、“持有人”),
新的JProperty(“expires_in”,tokenExpirement.TotalSeconds.ToString()),
新JProperty(“.issued”,ticket.Properties.IssuedUtc.ToString()),
新的JProperty(“.expires”,ticket.Properties.ExpiresUtc.ToString()),
新的JProperty(“刷新令牌”,createContext.token)
);
返回令牌响应;
}
private async Task<JObject> GenerateLocalAccessTokenResponse(string userId)
{
var tokenExpiration = TimeSpan.FromDays(1);
ClaimsIdentity identity = new ClaimsIdentity(OAuthDefaults.AuthenticationType);
var user = await GetUser(userId);
identity.AddClaim(new Claim(ClaimTypes.Name, user.UserName));
identity.AddClaim(new Claim("role", "user"));
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.Id));
var props = new AuthenticationProperties()
{
IssuedUtc = DateTime.UtcNow,
ExpiresUtc = DateTime.UtcNow.Add(tokenExpiration),
};
var ticket = new AuthenticationTicket(identity, props);
var accessToken = Startup.OAuthBearerOptions.AccessTokenFormat.Protect(ticket);
// This is what I added
var context = Request.GetOwinContext();
// Here I use a DataProtectionProvider which I generated on startup with app.GetDataProtectionProvider() and I keep it as a static object
var secureDataFormat = new TicketDataFormat(Helpers.Providers.DataProtectionProvider.Create(
typeof(OAuthAuthorizationServerMiddleware).Namespace, "Refresh_Token", "v1", "ASP.NET Identity"));
var createContext = new AuthenticationTokenCreateContext(context, secureDataFormat, ticket);
await Startup.OAuthServerOptions.RefreshTokenProvider.CreateAsync(createContext);
JObject tokenResponse = new JObject(
new JProperty("userName", user.UserName),
new JProperty("access_token", accessToken),
new JProperty("token_type", "bearer"),
new JProperty("expires_in", tokenExpiration.TotalSeconds.ToString()),
new JProperty(".issued", ticket.Properties.IssuedUtc.ToString()),
new JProperty(".expires", ticket.Properties.ExpiresUtc.ToString()),
new JProperty("refresh_token", createContext.Token)
);
return tokenResponse;
}