C# WebForm用授权代码替换OAUTH2隐式流
我想知道ASP.NET 4.7 WebForm应用程序是否可以使用OAUTH身份验证,使用带有代码交换验证密钥(PKCE)的授权代码流,以避免在客户端公开令牌 这是Startup.Auth.cs类中当前使用的代码:C# WebForm用授权代码替换OAUTH2隐式流,c#,asp.net,oauth-2.0,asp.net-identity,C#,Asp.net,Oauth 2.0,Asp.net Identity,我想知道ASP.NET 4.7 WebForm应用程序是否可以使用OAUTH身份验证,使用带有代码交换验证密钥(PKCE)的授权代码流,以避免在客户端公开令牌 这是Startup.Auth.cs类中当前使用的代码: using System; using Microsoft.AspNet.Identity; using Microsoft.AspNet.Identity.Owin; using Microsoft.Owin; using Microsoft.Owin.Security; usin
using System;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using Microsoft.Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using Microsoft.IdentityModel.Tokens;
using Microsoft.Owin.Security.OpenIdConnect;
using Microsoft.Owin.Security.Notifications;
using Owin;
using System.Threading.Tasks;
using System.Web;
public partial class Startup
{
string clientId = System.Configuration.ConfigurationManager.AppSettings["ClientId"];
string redirectUri = System.Configuration.ConfigurationManager.AppSettings["RedirectUri"];
static string tenant = System.Configuration.ConfigurationManager.AppSettings["Tenant"];
string authority = String.Format(System.Globalization.CultureInfo.InvariantCulture, System.Configuration.ConfigurationManager.AppSettings["Authority"], tenant);
public void ConfigureAuth(IAppBuilder app)
{
var provider = new CookieAuthenticationProvider();
provider.OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, User>(
validateInterval: TimeSpan.FromMinutes(60),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager));
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
//Workaround for Katana bug #197
app.UseKentorOwinCookieSaver();
//******************************
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
SlidingExpiration = true,
ExpireTimeSpan = TimeSpan.FromMinutes(60),
LoginPath = new PathString("/Account/Login"),
CookieSecure = CookieSecureOption.Always,
Provider = provider
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// Sets the ClientId, authority, RedirectUri as obtained from web.config
ClientId = clientId,
Authority = authority,
RedirectUri = redirectUri,
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive,
PostLogoutRedirectUri = redirectUri,
Scope = OpenIdConnectScope.OpenIdProfile,
ResponseType = OpenIdConnectResponseType.IdToken,
TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = false
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
AuthorizationCodeReceived = (context) =>
{
return Task.FromResult(0);
},
SecurityTokenValidated = (context) =>
{
return Task.FromResult(0);
},
SecurityTokenReceived = (context) =>
{
return Task.FromResult(0);
}
}
}
);
}
...
}
使用系统;
使用Microsoft.AspNet.Identity;
使用Microsoft.AspNet.Identity.Owin;
使用Microsoft.Owin;
使用Microsoft.Owin.Security;
使用Microsoft.Owin.Security.Cookies;
使用Microsoft.IdentityModel.Protocols.OpenIdConnect;
使用Microsoft.IdentityModel.Tokens;
使用Microsoft.Owin.Security.OpenIdConnect;
使用Microsoft.Owin.Security.Notifications;
使用Owin;
使用System.Threading.Tasks;
使用System.Web;
公共部分类启动
{
字符串clientId=System.Configuration.ConfigurationManager.AppSettings[“clientId”];
字符串redirectUri=System.Configuration.ConfigurationManager.AppSettings[“redirectUri”];
静态字符串tenant=System.Configuration.ConfigurationManager.AppSettings[“tenant”];
string authority=string.Format(System.Globalization.CultureInfo.InvariantCulture,System.Configuration.ConfigurationManager.AppSettings[“authority”],租户);
public void ConfigureAuth(IAppBuilder应用程序)
{
var provider=新CookieAuthenticationProvider();
provider.OnValidateIdentity=SecurityStampValidator.OnValidateIdentity应该可以正常工作-流程由响应类型字段决定:
- 隐式流将使用“token”或“token id_token”-看起来您并没有使用它。建议避免包含token,因为这样会在URL中返回令牌,它们可能会泄漏
- 通过“代码”使用代码流——尽管我相信MS库可能要求您使用“代码id_令牌”的混合流。两者都是安全设计
单页应用程序需要PKCE,因为它们无法存储客户端机密。对于服务器端应用程序,PKCE不太重要,因为机密不会泄露给浏览器。我认为那些MS服务器端库不支持PKCE