Fatal编程技术网
  • csharp/
  • C# WebForm用授权代码替换OAUTH2隐式流

C# WebForm用授权代码替换OAUTH2隐式流

c# asp.net oauth-2.0

C# WebForm用授权代码替换OAUTH2隐式流,c#,asp.net,oauth-2.0,asp.net-identity,C#,Asp.net,Oauth 2.0,Asp.net Identity,我想知道ASP.NET 4.7 WebForm应用程序是否可以使用OAUTH身份验证,使用带有代码交换验证密钥(PKCE)的授权代码流,以避免在客户端公开令牌 这是Startup.Auth.cs类中当前使用的代码: using System; using Microsoft.AspNet.Identity; using Microsoft.AspNet.Identity.Owin; using Microsoft.Owin; using Microsoft.Owin.Security; usin

我想知道ASP.NET 4.7 WebForm应用程序是否可以使用OAUTH身份验证,使用带有代码交换验证密钥(PKCE)的授权代码流,以避免在客户端公开令牌

这是Startup.Auth.cs类中当前使用的代码:

using System;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using Microsoft.Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using Microsoft.IdentityModel.Tokens;
using Microsoft.Owin.Security.OpenIdConnect;
using Microsoft.Owin.Security.Notifications;
using Owin;
using System.Threading.Tasks;
using System.Web;

public partial class Startup 
{
    string clientId = System.Configuration.ConfigurationManager.AppSettings["ClientId"];
    string redirectUri = System.Configuration.ConfigurationManager.AppSettings["RedirectUri"];
    static string tenant = System.Configuration.ConfigurationManager.AppSettings["Tenant"];
    string authority = String.Format(System.Globalization.CultureInfo.InvariantCulture, System.Configuration.ConfigurationManager.AppSettings["Authority"], tenant);


    public void ConfigureAuth(IAppBuilder app)
    {
        var provider = new CookieAuthenticationProvider();
        provider.OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, User>(
                            validateInterval: TimeSpan.FromMinutes(60),
                            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager));



        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        //Workaround for Katana bug #197
        app.UseKentorOwinCookieSaver();
        //******************************
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
            SlidingExpiration = true,
            ExpireTimeSpan = TimeSpan.FromMinutes(60),
            LoginPath = new PathString("/Account/Login"),
            CookieSecure = CookieSecureOption.Always,
            Provider = provider
        });
        app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);


        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions());
        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
            // Sets the ClientId, authority, RedirectUri as obtained from web.config
            ClientId = clientId,
                Authority = authority,
                RedirectUri = redirectUri,
                AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive,
            PostLogoutRedirectUri = redirectUri,
                Scope = OpenIdConnectScope.OpenIdProfile,
            ResponseType = OpenIdConnectResponseType.IdToken,
            TokenValidationParameters = new TokenValidationParameters()
                {
                    ValidateIssuer = false
                },
            Notifications = new OpenIdConnectAuthenticationNotifications
                {

                AuthenticationFailed = OnAuthenticationFailed,
                    AuthorizationCodeReceived = (context) =>
                    {
                        return Task.FromResult(0);
                    },
                    SecurityTokenValidated = (context) =>
                    {
                        return Task.FromResult(0);
                    },
                    SecurityTokenReceived = (context) =>
                    {
                        return Task.FromResult(0);
                    }
                }
            }
        );
    }
    ...
}

使用系统;
使用Microsoft.AspNet.Identity;
使用Microsoft.AspNet.Identity.Owin;
使用Microsoft.Owin;
使用Microsoft.Owin.Security;
使用Microsoft.Owin.Security.Cookies;
使用Microsoft.IdentityModel.Protocols.OpenIdConnect;
使用Microsoft.IdentityModel.Tokens;
使用Microsoft.Owin.Security.OpenIdConnect;
使用Microsoft.Owin.Security.Notifications;
使用Owin;
使用System.Threading.Tasks;
使用System.Web;
公共部分类启动
{
字符串clientId=System.Configuration.ConfigurationManager.AppSettings[“clientId”];
字符串redirectUri=System.Configuration.ConfigurationManager.AppSettings[“redirectUri”];
静态字符串tenant=System.Configuration.ConfigurationManager.AppSettings[“tenant”];
string authority=string.Format(System.Globalization.CultureInfo.InvariantCulture,System.Configuration.ConfigurationManager.AppSettings[“authority”],租户);
public void ConfigureAuth(IAppBuilder应用程序)
{
var provider=新CookieAuthenticationProvider();

provider.OnValidateIdentity=SecurityStampValidator.OnValidateIdentity应该可以正常工作-流程由响应类型字段决定:


    

  • 隐式流将使用“token”或“token id_token”-看起来您并没有使用它。建议避免包含token,因为这样会在URL中返回令牌,它们可能会泄漏
    

    • 

  • 通过“代码”使用代码流——尽管我相信MS库可能要求您使用“代码id_令牌”的混合流。两者都是安全设计
    

    • 


单页应用程序需要PKCE,因为它们无法存储客户端机密。对于服务器端应用程序,PKCE不太重要,因为机密不会泄露给浏览器。我认为那些MS服务器端库不支持PKCE