Oauth 2.0 WebAPI2中基于令牌的安全性是无状态的吗?
我只是想理解下面的代码:Oauth 2.0 WebAPI2中基于令牌的安全性是无状态的吗?,oauth-2.0,asp.net-web-api2,bearer-token,Oauth 2.0,Asp.net Web Api2,Bearer Token,我只是想理解下面的代码: public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>(); ApplicationUser
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();
ApplicationUser user = await userManager.FindAsync(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
ClaimsIdentity oAuthIdentity = await user.GenerateUserIdentityAsync(userManager,
OAuthDefaults.AuthenticationType);
ClaimsIdentity cookiesIdentity = await user.GenerateUserIdentityAsync(userManager,
CookieAuthenticationDefaults.AuthenticationType);
AuthenticationProperties properties = CreateProperties(user.UserName);
AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties);
context.Validated(ticket);
context.Request.Context.Authentication.SignIn(cookiesIdentity);
}
它似乎将每个令牌的声明标识信息(直到令牌过期)保存在服务器上的cookies(会话)中的某个位置。它可能是一个以键为标记,以值为索赔实体对象的字典
SignIn:
Add information to the response environment that will cause the appropriate authentication
middleware to grant a claims - based identity to the recipient of the response.
The exact mechanism of this may vary. Examples include setting a cookie, to adding
a fragment on the redirect url, or producing an OAuth2 access code or token response.
cookiesIdentity:
Determines which claims are granted to the signed in user.The ClaimsIdentity.AuthenticationType
property is compared to the middleware's Options.AuthenticationType value to
determine which claims are granted by which middleware. The recommended use is
to have a single ClaimsIdentity which has the AuthenticationType matching a specific
middleware.
我想你误解了密码*OAuth将令牌解析为用户名和密码*-否,用户将其凭据(用户名/密码)发送到端点以请求令牌,上面的代码验证凭据并创建令牌。是的,对。我误解了。@jps我现在编辑了这个问题。你能帮我更好地理解它吗?这行代码在做什么
context.Request.context.Authentication.sign(cookiesIdentity)代码>
SignIn:
Add information to the response environment that will cause the appropriate authentication
middleware to grant a claims - based identity to the recipient of the response.
The exact mechanism of this may vary. Examples include setting a cookie, to adding
a fragment on the redirect url, or producing an OAuth2 access code or token response.
cookiesIdentity:
Determines which claims are granted to the signed in user.The ClaimsIdentity.AuthenticationType
property is compared to the middleware's Options.AuthenticationType value to
determine which claims are granted by which middleware. The recommended use is
to have a single ClaimsIdentity which has the AuthenticationType matching a specific
middleware.