C# 使用webAPI承载令牌的信号认证

+我曾经使用ASP.NETWebAPI2、Owin和Identity实现基于令牌的身份验证，效果非常好。我使用这个和这个通过连接字符串传递承载令牌来实现信号集线器授权和身份验证，但似乎承载令牌没有运行，或者某个地方出了问题，这就是为什么我在这里寻求帮助…这些是我的代码。。。 QueryStringBeareAuthorizeAttribute：这是负责验证的类

using ImpAuth.Entities;
using Microsoft.AspNet.Identity.EntityFramework;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.OAuth;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Claims;
using System.Threading.Tasks;
using System.Web;

namespace ImpAuth.Providers
{
    using System.Security.Claims;
    using Microsoft.AspNet.SignalR;
    using Microsoft.AspNet.SignalR.Hubs;
    using Microsoft.AspNet.SignalR.Owin;

    public class QueryStringBearerAuthorizeAttribute : AuthorizeAttribute
    {
        public override bool AuthorizeHubConnection(HubDescriptor hubDescriptor, IRequest request)
        {
            var token = request.QueryString.Get("Bearer");
            var authenticationTicket = Startup.AuthServerOptions.AccessTokenFormat.Unprotect(token);

            if (authenticationTicket == null || authenticationTicket.Identity == null || !authenticationTicket.Identity.IsAuthenticated)
            {
                return false;
            }

            request.Environment["server.User"] = new ClaimsPrincipal(authenticationTicket.Identity);
            request.Environment["server.Username"] = authenticationTicket.Identity.Name;
            request.GetHttpContext().User = new ClaimsPrincipal(authenticationTicket.Identity);
            return true;
        }

        public override bool AuthorizeHubMethodInvocation(IHubIncomingInvokerContext hubIncomingInvokerContext, bool appliesToMethod)
        {
            var connectionId = hubIncomingInvokerContext.Hub.Context.ConnectionId;

            // check the authenticated user principal from environment
            var environment = hubIncomingInvokerContext.Hub.Context.Request.Environment;
            var principal = environment["server.User"] as ClaimsPrincipal;

            if (principal != null && principal.Identity != null && principal.Identity.IsAuthenticated)
            {
                // create a new HubCallerContext instance with the principal generated from token
                // and replace the current context so that in hubs we can retrieve current user identity
                hubIncomingInvokerContext.Hub.Context = new HubCallerContext(new ServerRequest(environment), connectionId);

                return true;
            }

            return false;
        }
    }
}

这是我的创业班

using ImpAuth.Providers;
using Microsoft.AspNet.SignalR;
using Microsoft.Owin;
using Microsoft.Owin.Cors;
using Microsoft.Owin.Security.Facebook;
using Microsoft.Owin.Security.Google;
//using Microsoft.Owin.Security.Facebook;
//using Microsoft.Owin.Security.Google;
using Microsoft.Owin.Security.OAuth;
using Owin;
using System;
using System.Collections.Generic;
using System.Data.Entity;
using System.Linq;
using System.Web;
using System.Web.Http;

[assembly: OwinStartup(typeof(ImpAuth.Startup))]

namespace ImpAuth
{
    public class Startup
    {
        public static OAuthAuthorizationServerOptions AuthServerOptions;

        static Startup()
        {
            AuthServerOptions = new OAuthAuthorizationServerOptions
            {
                AllowInsecureHttp = true,
                TokenEndpointPath = new PathString("/token"),
                AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(30),
                Provider = new SimpleAuthorizationServerProvider()
               // RefreshTokenProvider = new SimpleRefreshTokenProvider()
            };
        }

        public static OAuthBearerAuthenticationOptions OAuthBearerOptions { get; private set; }
        public static GoogleOAuth2AuthenticationOptions googleAuthOptions { get; private set; }
        public static FacebookAuthenticationOptions facebookAuthOptions { get; private set; }

        public void Configuration(IAppBuilder app)
        {
            //app.MapSignalR();
            ConfigureOAuth(app);
            app.Map("/signalr", map =>
            {
                // Setup the CORS middleware to run before SignalR.
                // By default this will allow all origins. You can 
                // configure the set of origins and/or http verbs by
                // providing a cors options with a different policy.
                map.UseCors(CorsOptions.AllowAll);
                var hubConfiguration = new HubConfiguration
                {
                    // You can enable JSONP by uncommenting line below.
                    // JSONP requests are insecure but some older browsers (and some
                    // versions of IE) require JSONP to work cross domain
                    //EnableJSONP = true
                    EnableDetailedErrors = true
                };
                // Run the SignalR pipeline. We're not using MapSignalR
                // since this branch already runs under the "/signalr"
                // path.
                map.RunSignalR(hubConfiguration);
            });
            HttpConfiguration config = new HttpConfiguration();
            app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
            WebApiConfig.Register(config);
            app.UseWebApi(config);
        }

        public void ConfigureOAuth(IAppBuilder app)
        {
            //use a cookie to temporarily store information about a user logging in with a third party login provider
            app.UseExternalSignInCookie(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ExternalCookie);
            OAuthBearerOptions = new OAuthBearerAuthenticationOptions();

            OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
            {
                AllowInsecureHttp = true,
                TokenEndpointPath = new PathString("/token"),
                AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
                Provider = new SimpleAuthorizationServerProvider()
            };

            // Token Generation
            app.UseOAuthAuthorizationServer(OAuthServerOptions);
            app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());

            //Configure Google External Login
            googleAuthOptions = new GoogleOAuth2AuthenticationOptions()
            {
                ClientId = "1062903283154-94kdm6orqj8epcq3ilp4ep2liv96c5mn.apps.googleusercontent.com",
                ClientSecret = "rv5mJUz0epWXmvWUAQJSpP85",
                Provider = new GoogleAuthProvider()
            };
            app.UseGoogleAuthentication(googleAuthOptions);

            //Configure Facebook External Login
            facebookAuthOptions = new FacebookAuthenticationOptions()
            {
                AppId = "CHARLIE",
                AppSecret = "xxxxxx",
                Provider = new FacebookAuthProvider()
            };
            app.UseFacebookAuthentication(facebookAuthOptions);
        }
    }

}

这是客户机上的淘汰加jquery代码

function chat(name, message) {
    self.Name = ko.observable(name);
    self.Message = ko.observable(message);
}

function viewModel() {
    var self = this;
    self.chatMessages = ko.observableArray();

    self.sendMessage = function () {
        if (!$('#message').val() == '' && !$('#name').val() == '') {
            $.connection.hub.qs = { Bearer: "yyCH391w-CkSVMv7ieH2quEihDUOpWymxI12Vh7gtnZJpWRRkajQGZhrU5DnEVkOy-hpLJ4MyhZnrB_EMhM0FjrLx5bjmikhl6EeyjpMlwkRDM2lfgKMF4e82UaUg1ZFc7JFAt4dFvHRshX9ay0ziCnuwGLvvYhiriew2v-F7d0bC18q5oqwZCmSogg2Osr63gAAX1oo9zOjx5pe2ClFHTlr7GlceM6CTR0jz2mYjSI" };
            $.connection.hub.start().done(function () {
                $.connection.hub.qs = { Bearer: "yyCH391w-CkSVMv7ieH2quEihDUOpWymxI12Vh7gtnZJpWRRkajQGZhrU5DnEVkOy-hpLJ4MyhZnrB_EMhM0FjrLx5bjmikhl6EeyjpMlwkRDM2lfgKMF4e82UaUg1ZFc7JFAt4dFvHRshX9ay0ziCnuwGLvvYhiriew2v-F7d0bC18q5oqwZCmSogg2Osr63gAAX1oo9zOjx5pe2ClFHTlr7GlceM6CTR0jz2mYjSI" };
                $.connection.impAuthHub.server.sendMessage($('#name').val(), $('#message').val())
                            .done(function () { $('#message').val(''); $('#name').val(''); })
                            .fail(function (e) { alert(e) });
            });
        }
    }

    $.connection.impAuthHub.client.newMessage = function (NAME, MESSAGE) {
        //alert(ko.toJSON(NAME, MESSAGE));
        var chat1 = new chat(NAME, MESSAGE);
        self.chatMessages.push(chat1);
    }

}

ko.applyBindings(new viewModel());

这是我的集线器课程

using ImpAuth.Providers;
using Microsoft.AspNet.SignalR;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;

namespace ImpAuth
{
    public class impAuthHub : Hub
    {
        [QueryStringBearerAuthorize]
        public void SendMessage(string name, string message)
        {

            Clients.All.newMessage(name, message);
        }
    }
}

…现在，当我尝试调用一个经过身份验证的集线器类时，出现了这个错误

caller is not authenticated to invove method sendMessage in impAuthHub

但随后我在QueryStringBeareAuthorizeAttribute类中将此方法更改为始终返回true，如下所示

public override bool AuthorizeHubMethodInvocation(IHubIncomingInvokerContext hubIncomingInvokerContext, bool appliesToMethod)
{
    var connectionId = hubIncomingInvokerContext.Hub.Context.ConnectionId;
    // check the authenticated user principal from environment
    var environment = hubIncomingInvokerContext.Hub.Context.Request.Environment;
    var principal = environment["server.User"] as ClaimsPrincipal;

    if (principal != null && principal.Identity != null && principal.Identity.IsAuthenticated)
    {
        // create a new HubCallerContext instance with the principal generated from token
        // and replace the current context so that in hubs we can retrieve current user identity
        hubIncomingInvokerContext.Hub.Context = new HubCallerContext(new ServerRequest(environment), connectionId);

        return true;
    }

    return true;
}

---

…它可以工作…我的代码或实现有什么问题？

您需要这样配置您的信号器

app.Map("/signalr", map =>
{
    map.UseCors(CorsOptions.AllowAll);

    map.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()
    {
        Provider = new QueryStringOAuthBearerProvider()
    });

    var hubConfiguration = new HubConfiguration
    {
        Resolver = GlobalHost.DependencyResolver,
    };
    map.RunSignalR(hubConfiguration);
});

然后，您需要为signalR编写一个基本的自定义OAuthBeareAuthenticationProvider，它接受access\u令牌作为查询字符串

public class QueryStringOAuthBearerProvider : OAuthBearerAuthenticationProvider
{
    public override Task RequestToken(OAuthRequestTokenContext context)
    {
        var value = context.Request.Query.Get("access_token");

        if (!string.IsNullOrEmpty(value))
        {
            context.Token = value;
        }

        return Task.FromResult<object>(null);
    }
}

对于您的集线器，只有普通[授权]属性

public class impAuthHub : Hub
{
    [Authorize]
    public void SendMessage(string name, string message)
    {
       Clients.All.newMessage(name, message);
    }
}

---

希望这有帮助。YD.

无法发表评论，因此在对Peter出色答案的评论之后添加我的答案

进行了更多的挖掘，我在自定义owin授权提供程序中设置的用户id隐藏在这里（显示了完整的集线器方法）

自定义身份验证提供程序如下所示：

public class QueryStringOAuthBearerProvider : OAuthBearerAuthenticationProvider
{
    public override Task RequestToken(OAuthRequestTokenContext context)
    {
        var value = context.Request.Query.Get("access_token");

        if (!string.IsNullOrEmpty(value))
        {
            context.Token = value;
        }

        return Task.FromResult<object>(null);
    }
}

公共类QueryStringOAuthBearerProvider:OAuthBeareAuthenticationProvider
{
公共覆盖任务RequestToken（OAuthRequestTokenContext上下文）
{
var value=context.Request.Query.Get（“访问令牌”）；
如果（！string.IsNullOrEmpty（值））
{
context.Token=值；
}
返回Task.FromResult（空）；
}
}

我遵循：

首先将JWT添加到查询字符串：'

this.connection = $['hubConnection']();
this.connection.qs = { 'access_token': token}

然后在

startup.cs

中，在JWTBeareAuthentication之前，将令牌添加到头中：

 app.Use(async (context, next) =>
            {
                if (string.IsNullOrWhiteSpace(context.Request.Headers["Authorization"]) && context.Request.QueryString.HasValue)
                {
                    var token = context.Request.QueryString.Value.Split('&').SingleOrDefault(x => x.Contains("access_token"))?.Split('=')[1];
                    if (!string.IsNullOrWhiteSpace(token))
                    {
                        context.Request.Headers.Add("Authorization", new[] { $"Bearer {token}" });
                    }
                }
                await next.Invoke();
            });


            var keyResolver = new JwtSigningKeyResolver(new AuthenticationKeyContainer());
            app.UseJwtBearerAuthentication(
                new JwtBearerAuthenticationOptions
                {
                    AuthenticationMode = AuthenticationMode.Active,
                    TokenValidationParameters = new TokenValidationParameters()
                    {
                        ValidAudience = ConfigurationUtil.ocdpAuthAudience,
                        ValidIssuer = ConfigurationUtil.ocdpAuthZero,
                        IssuerSigningKeyResolver = (token, securityToken, kid, validationParameters) => keyResolver.GetSigningKey(kid)
                    }
                });


            ValidateSignalRConnectionData(app);
            var hubConfiguration = new HubConfiguration
            {
                EnableDetailedErrors = true
            };
            app.MapSignalR(hubConfiguration);

---

我已经给路易斯发了一封电子邮件，他提出了我的回购协议，并实施了与SignalR的集成，希望他能够检查并提供帮助。很高兴我的帖子对你有用：）嗨，泰瑟谢谢你的邮件。麦卡比，有几件事我能想到。首先，您是否可以调试您的应用程序，并在我们设置var principal的地方中断它。我想看看原则上有什么价值。这将是最好的开始。+你好，刘易斯…我得到一个空的原则值…要么承载令牌没有被发送，顺便问一下，我如何检查承载令牌是否从客户端发送？+@Louis Lewis This method“public override bool AuthorizeHubConnection（HubDescriptor HubDescriptor，IRequest请求）{}'似乎在任何给定点都不会被调用…为什么？应该是这样的吗？简单看一下，您已经在方法上分配了属性，而不是在类上，我想说这就是为什么AuthorizeHubConnection方法没有触发的原因。我建议作为一个起点，尝试将属性移到类上，然后我们从那里开始。您如何从hub

上下文访问用户？您是否能够调用
上下文.用户.标识.名称
？这条线到底是干什么的<代码>context.Token=值它如何填充中心上下文？谢谢我刚刚尝试了这个方法，但不幸的是，我的，
Context.User.Identity.Name
是
null
来自
提供者的
Context
在OWIN管道中的位置如何？我将
context.Token
设置为从客户端检索到的令牌这一事实将如何影响我的
context
？任何回购/更复杂的例子现在对我来说都是黄金。谢谢@tofutim我实际上为此创建了一个回购，@radu matei请你检查一下回购协议，链接断了-我在回购协议上看到项目被重组了。链接正确吗？这有用吗？我收到错误：调用方无权调用上的方法。我可以看到请求令牌被正确执行，并且令牌被分配了正确的值。
public class QueryStringOAuthBearerProvider : OAuthBearerAuthenticationProvider
{
    public override Task RequestToken(OAuthRequestTokenContext context)
    {
        var value = context.Request.Query.Get("access_token");

        if (!string.IsNullOrEmpty(value))
        {
            context.Token = value;
        }

        return Task.FromResult<object>(null);
    }
}

this.connection = $['hubConnection']();
this.connection.qs = { 'access_token': token}

 app.Use(async (context, next) =>
            {
                if (string.IsNullOrWhiteSpace(context.Request.Headers["Authorization"]) && context.Request.QueryString.HasValue)
                {
                    var token = context.Request.QueryString.Value.Split('&').SingleOrDefault(x => x.Contains("access_token"))?.Split('=')[1];
                    if (!string.IsNullOrWhiteSpace(token))
                    {
                        context.Request.Headers.Add("Authorization", new[] { $"Bearer {token}" });
                    }
                }
                await next.Invoke();
            });


            var keyResolver = new JwtSigningKeyResolver(new AuthenticationKeyContainer());
            app.UseJwtBearerAuthentication(
                new JwtBearerAuthenticationOptions
                {
                    AuthenticationMode = AuthenticationMode.Active,
                    TokenValidationParameters = new TokenValidationParameters()
                    {
                        ValidAudience = ConfigurationUtil.ocdpAuthAudience,
                        ValidIssuer = ConfigurationUtil.ocdpAuthZero,
                        IssuerSigningKeyResolver = (token, securityToken, kid, validationParameters) => keyResolver.GetSigningKey(kid)
                    }
                });


            ValidateSignalRConnectionData(app);
            var hubConfiguration = new HubConfiguration
            {
                EnableDetailedErrors = true
            };
            app.MapSignalR(hubConfiguration);