Oauth 2.0 WebAPI2中基于令牌的安全性是无状态的吗？_Oauth 2.0_Asp.net Web Api2_Bearer Token

Oauth 2.0 WebAPI2中基于令牌的安全性是无状态的吗？

oauth-2.0

Oauth 2.0 WebAPI2中基于令牌的安全性是无状态的吗？,oauth-2.0,asp.net-web-api2,bearer-token,Oauth 2.0,Asp.net Web Api2,Bearer Token,我只是想理解下面的代码： public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>(); ApplicationUser

我只是想理解下面的代码：

    public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
    {
        var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();

        ApplicationUser user = await userManager.FindAsync(context.UserName, context.Password);

        if (user == null)
        {
            context.SetError("invalid_grant", "The user name or password is incorrect.");
            return;
        }

        ClaimsIdentity oAuthIdentity = await user.GenerateUserIdentityAsync(userManager,
           OAuthDefaults.AuthenticationType);
        ClaimsIdentity cookiesIdentity = await user.GenerateUserIdentityAsync(userManager,
            CookieAuthenticationDefaults.AuthenticationType);

        AuthenticationProperties properties = CreateProperties(user.UserName);
        AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties);
        context.Validated(ticket);
        context.Request.Context.Authentication.SignIn(cookiesIdentity);
    }

它似乎将每个令牌的声明标识信息（直到令牌过期）保存在服务器上的cookies（会话）中的某个位置。它可能是一个以键为标记，以值为索赔实体对象的字典

根据用户名/密码和密钥创建令牌

此令牌随每个请求一起传递

如果在声明令牌后将其更改，则无法更改此令牌无效

因此不需要sessionid，令牌本身就足够了全部的参考。在其主页上，您可以可视化令牌创建和令牌的可视化

Deepak Mishra当您从第三方（如Google）启用Oauth时，它会使用带有如下回调操作/函数的查询字符串发送大部分信息

OAuth库具有对对象进行解码的内置功能

使用ID和安全戳（非GOOGLE SID）插入到AspNetUsers表中

并在浏览器和LocalStatorage中的Cookie中输入无状态属性

“如果我碰巧知道你的加密算法……”

即使您能够了解加密算法（我高度怀疑，因为他们有深入的机制）/他们的安全密钥（我再次高度怀疑），如果您修改它，它将被更改或无效

如果您创建自己的库并允许使用无效的令牌，那么您再次违背了Oauth的全部目的

身份验证：当前请求上可用的身份验证中间件功能

    SignIn:
        Add information to the response environment that will cause the appropriate authentication
             middleware to grant a claims - based identity to the recipient of the response.
             The exact mechanism of this may vary. Examples include setting a cookie, to adding
             a fragment on the redirect url, or producing an OAuth2 access code or token response.

    cookiesIdentity:
        Determines which claims are granted to the signed in user.The ClaimsIdentity.AuthenticationType
             property is compared to the middleware's Options.AuthenticationType value to
             determine which claims are granted by which middleware. The recommended use is
             to have a single ClaimsIdentity which has the AuthenticationType matching a specific
             middleware.

我想你误解了密码*OAuth将令牌解析为用户名和密码*-否，用户将其凭据（用户名/密码）发送到端点以请求令牌，上面的代码验证凭据并创建令牌。是的，对。我误解了。@jps我现在编辑了这个问题。你能帮我更好地理解它吗？这行代码在做什么

context.Request.context.Authentication.sign（cookiesIdentity）
    SignIn:
        Add information to the response environment that will cause the appropriate authentication
             middleware to grant a claims - based identity to the recipient of the response.
             The exact mechanism of this may vary. Examples include setting a cookie, to adding
             a fragment on the redirect url, or producing an OAuth2 access code or token response.

    cookiesIdentity:
        Determines which claims are granted to the signed in user.The ClaimsIdentity.AuthenticationType
             property is compared to the middleware's Options.AuthenticationType value to
             determine which claims are granted by which middleware. The recommended use is
             to have a single ClaimsIdentity which has the AuthenticationType matching a specific
             middleware.