Authentication Web API不接受外部身份提供程序令牌
我已经为此挣扎了几个星期,终于决定寻求帮助 我有一个MVC网站,还有Xamarin.Forms应用程序,它有一个Web Api后端,所有这些都需要身份验证。MVC项目很容易实现,因为项目模板完成了大部分工作。现在,让webApi实现相同的提供者并不像我希望的那么容易 我已经在Xamarin.forms项目中实现了Xamarin.Auth,在该项目中,我为每个显示UI的标识提供程序都有一个按钮,并且在有效身份验证时为我提供一个访问令牌。下一步是将此外部令牌交换为由我的web api(本地授权)生成的令牌。当我在http报头中包含外部令牌时,其格式类似于“Authorization Bearner access_token”,我希望web api验证令牌并填写User.Identity以及声明 这是我的Startup.Auth.csAuthentication Web API不接受外部身份提供程序令牌,authentication,asp.net-web-api,oauth,owin,access-token,Authentication,Asp.net Web Api,Oauth,Owin,Access Token,我已经为此挣扎了几个星期,终于决定寻求帮助 我有一个MVC网站,还有Xamarin.Forms应用程序,它有一个Web Api后端,所有这些都需要身份验证。MVC项目很容易实现,因为项目模板完成了大部分工作。现在,让webApi实现相同的提供者并不像我希望的那么容易 我已经在Xamarin.forms项目中实现了Xamarin.Auth,在该项目中,我为每个显示UI的标识提供程序都有一个按钮,并且在有效身份验证时为我提供一个访问令牌。下一步是将此外部令牌交换为由我的web api(本地授权)生成
// Configure the db context and user manager to use a single instance per request
app.CreatePerOwinContext(IdentityEntities.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationRoleManager>(ApplicationRoleManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a third party login provider
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
// Configure the application for OAuth based flow
PublicClientId = "self";
OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),
Provider = new ApplicationOAuthProvider(PublicClientId),
AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
// In production mode set AllowInsecureHttp = false
AllowInsecureHttp = true
};
// Enable the application to use bearer tokens to authenticate users
app.UseOAuthBearerTokens(OAuthOptions);
//var issuer = "http://localhost:59822";
var issuer = "https://brenockideapipelinewebapiauth.azurewebsites.net";
string audienceId = ConfigurationManager.AppSettings["as:AudienceId"];
byte[] audienceSecret = TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["as:AudienceSecret"]);
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { audienceId },
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(issuer, audienceSecret)
}
});
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
TokenValidationParameters = new TokenValidationParameters
{
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
},
});
var fbauth = new FacebookAuthenticationOptions() { AppId = "appid", AppSecret = "secret" };
fbauth.Scope.Add("email");
fbauth.UserInformationEndpoint = "https://graph.facebook.com/v2.4/me?fields=id,name,email,first_name,last_name";
app.UseFacebookAuthentication(fbauth);
app.UseTwitterAuthentication(new Microsoft.Owin.Security.Twitter.TwitterAuthenticationOptions()
{
ConsumerKey = ConfigurationManager.AppSettings["TwitterConsumerKey"].ToString(),
ConsumerSecret = ConfigurationManager.AppSettings["TwitterConsumerSecret"].ToString(),twitter"),
//certificate errors without this
BackchannelCertificateValidator = new CertificateSubjectKeyIdentifierValidator(new[]
{
"A5EF0B11CEC04103A34A659048B21CE0572D7D47", // VeriSign Class 3 Secure Server CA - G2
"0D445C165344C1827E1D20AB25F40163D8BE79A5", // VeriSign Class 3 Secure Server CA - G3
"7FD365A7C2DDECBBF03009F34339FA02AF333133", // VeriSign Class 3 Public Primary Certification Authority - G5
"39A55D933676616E73A761DFA16A7E59CDE66FAD", // Symantec Class 3 Secure Server CA - G4
"5168FF90AF0207753CCCD9656462A212B859723B", //DigiCert SHA2 High Assurance Server CA
"B13EC36903F8BF4701D498261A0802EF63642BC3", //DigiCert High Assurance EV Root CA
"add53f6680fe66e383cbac3e60922e3b4c412bed", // Symantec Class 3 EV SSL CA - G3
"4eb6d578499b1ccf5f581ead56be3d9b6744a5e5", // VeriSign Class 3 Primary CA - G5
})
});
app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions()
{
ClientId = ConfigurationManager.AppSettings["GoogleClientId"].ToString(),
ClientSecret = ConfigurationManager.AppSettings["GoogleClientSecret"].ToString()
});
app.UseLinkedInAuthentication
(
new LinkedInAuthenticationOptions()
{
ClientId = ConfigurationManager.AppSettings["LinkedInAPIKey"].ToString(),
ClientSecret = ConfigurationManager.AppSettings["LinkedInAPISecret"].ToString()
}
);
}
//将数据库上下文和用户管理器配置为每个请求使用一个实例
app.CreatePerOwinContext(IdentityEntities.Create);
app.CreatePerOwinContext(ApplicationUserManager.Create);
app.CreatePerOwinContext(ApplicationRoleManager.Create);
app.CreatePerOwinContext(ApplicationSignInManager.Create);
//使应用程序能够使用cookie存储登录用户的信息
//以及使用cookie临时存储用户登录第三方登录提供商的信息
app.UseCookieAuthentication(新的CookieAuthenticationOptions());
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
//为基于OAuth的流配置应用程序
PublicClientId=“self”;
OAuthOptions=新的OAuthAuthorizationServerOptions
{
TokenEndpointPath=新路径字符串(“/Token”),
Provider=新的ApplicationAuthProvider(PublicClientId),
AuthorizeEndpointPath=新路径字符串(“/api/Account/ExternalLogin”),
AccessTokenExpireTimeSpan=TimeSpan.FromDays(14),
//在生产模式下,设置AllowInsecureHttp=false
AllowInsecureHttp=true
};
//使应用程序能够使用承载令牌对用户进行身份验证
应用程序使用OAuthBealerTokens(OAuthOptions);
//var发行人=”http://localhost:59822";
var发行人=”https://brenockideapipelinewebapiauth.azurewebsites.net";
字符串audenceid=ConfigurationManager.AppSettings[“as:audenceid”];
byte[]AudienceCret=TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings[“as:AudienceCret]”);
app.UseJwtBearerAuthentication(
新的JWTBeareAuthenticationOptions
{
AuthenticationMode=AuthenticationMode.Active,
AllowedAudients=new[]{audienceId},
IssuerSecurityTokenProviders=新的IIssuerSecurityTokenProvider[]
{
新的SymmetriceIsuerSecurityTokenProvider(发行人、AudienceCret)
}
});
app.useWindowsAzureActiveDirectoryBeareAuthentication(
新WindowsAzureActiveDirectoryBeareAuthenticationOptions
{
Tenant=ConfigurationManager.AppSettings[“ida:Tenant”],
TokenValidationParameters=新的TokenValidationParameters
{
ValidAudience=ConfigurationManager.AppSettings[“ida:Audience”]
},
});
var fbauth=new facebook authenticationoptions(){AppId=“AppId”,AppSecret=“secret”};
fbauth.Scope.Add(“电子邮件”);
fbauth.UserInformationEndpoint=”https://graph.facebook.com/v2.4/me?fields=id、姓名、电子邮件、名、姓”;
应用程序UseFacebookAuthentication(fbauth);
app.UseTwitterAuthentication(新的Microsoft.Owin.Security.Twitter.TwitterAuthenticationOptions()
{
ConsumerKey=ConfigurationManager.AppSettings[“TwitterConsumerKey”].ToString(),
ConsumerCret=ConfigurationManager.AppSettings[“TwitterConsumerCret”].ToString(),twitter”),
//没有此选项的证书错误
BackchannelCertificateValidator=新证书SubjectKeyIdentifierValidator(新[]
{
“A5EF0B11CEC04103A34A659048B21CE0572D7D47”,//VeriSign 3级安全服务器CA-G2
“0D445C165344C1827E1D20AB25F40163D8BE79A5”,//VeriSign 3级安全服务器CA-G3
“7FD365A7C2DDECBF03009F34339FA02AF333133”,//VeriSign 3级公共初级认证机构-G5
“39A55D933676616E73A761DFA16A7E59CDE66FAD”,//赛门铁克3级安全服务器CA-G4
“5168FF90AF0207753CCD9656462A212B859723B”//DigiCert SHA2高保证服务器CA.
“B13EC36903F8BF4701D498261A0802EF63642BC3”//DigiCert高保证EV根CA
"add53f6680fe66e383cbac3e60922e3b4c412bed“,//赛门铁克3级电动汽车SSL CA-G3
“4eb6d578499b1ccf5f581ead56be3d9b6744a5e5”///VeriSign 3级主CA-G5
})
});
app.UseGoogleAuthentication(新的GoogleOAuth2AuthenticationOptions()
{
ClientId=ConfigurationManager.AppSettings[“GoogleClientId”].ToString(),
ClientSecret=ConfigurationManager.AppSettings[“GoogleClientSecret”].ToString()
});
app.useLinkedIn身份验证
(
新建LinkedInAuthenticationOptions()
{
ClientId=ConfigurationManager.AppSettings[“LinkedInAPIKey”].ToString(),
ClientSecret=ConfigurationManager.AppSettings[“LinkedInAPISecret”].ToString()
}
);
}
这是我认为我需要用来将外部令牌交换为本地令牌的控制器操作
// GET api/Account/ExternalLogin
[OverrideAuthentication]
[HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)]
[AllowAnonymous]
[Route("ExternalLogin", Name = "ExternalLogin")]
public async Task<IHttpActionResult> GetExternalLogin(string provider, string error = null)
{
if (error != null)
{
return Redirect(Url.Content("~/") + "#error=" + Uri.EscapeDataString(error));
}
if (!User.Identity.IsAuthenticated)
{
return new ChallengeResult(provider, this);
}
ExternalLoginData externalLogin = ExternalLoginData.FromIdentity(User.Identity as ClaimsIdentity);
if (externalLogin == null)
{
return InternalServerError();
}
if (externalLogin.LoginProvider != provider)
{
Authentication.SignOut(DefaultAuthenticationTypes.ExternalCookie);
return new ChallengeResult(provider, this);
}
ApplicationUser user = await UserManager.FindAsync(new UserLoginInfo(externalLogin.LoginProvider,
externalLogin.ProviderKey));
bool hasRegistered = user != null;
if (hasRegistered)
{
Authentication.SignOut(DefaultAuthenticationTypes.ExternalCookie);
ClaimsIdentity oAuthIdentity = await user.GenerateUserIdentityAsync(UserManager,
OAuthDefaults.AuthenticationType);
ClaimsIdentity cookieIdentity = await user.GenerateUserIdentityAsync(UserManager,
CookieAuthenticationDefaults.AuthenticationType);
AuthenticationProperties properties = ApplicationOAuthProvider.CreateProperties(user.UserName);
Authentication.SignIn(properties, oAuthIdentity, cookieIdentity);
}
else
{
IEnumerable<Claim> claims = externalLogin.GetClaims();
ClaimsIdentity identity = new ClaimsIdentity(claims, OAuthDefaults.AuthenticationType);
Authentication.SignIn(identity);
}
return Ok();
}
//获取api/Account/ExternalLogin
[覆盖认证]