【问题标题】:Get bearer token from OWIN Cookie and put it on API Requests从 OWIN Cookie 获取不记名令牌并将其放在 API 请求中
【发布时间】:2015-10-11 13:49:47
【问题描述】:

这是我的场景: 我有一个 MVC4.5/WebApi2 应用程序,它使用基于 Thinktecture.IdentityServer 提供程序的 OpenIdConnectAuthentication。到目前为止,我可以针对 MVC 进行身份验证。现在我想使用 Bearer Token 对 WebApi 进行身份验证。这是我的配置

app.UseWebApi(ConfigureAPI());
app.UseCookieAuthentication(new CookieAuthenticationOptions() {
        AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
        CookieSecure = CookieSecureOption.Always,
        AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
        CookieHttpOnly = true
    });

app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions() {
                EnableValidationResultCache = false,
                Authority = WebConfigurationManager.AppSettings["Authority"],
                AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive
            });

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions() {
                Authority = WebConfigurationManager.AppSettings["Authority"],
                ClientId = WebConfigurationManager.AppSettings["ClientId"],
                ClientSecret = WebConfigurationManager.AppSettings["ClientSecret"],
                ResponseType = "code id_token",
                Scope = "openid email profile", 
                SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
                Notifications = new OpenIdConnectAuthenticationNotifications {
                    AuthenticationFailed = OnAuthenticationFailed,
                    AuthorizationCodeReceived = OnAuthorizationCodeReceived,
                    RedirectToIdentityProvider = OnRedirectToIdentityProvider
                }
            };
);

还有我的 WebApi 配置

public HttpConfiguration ConfigureAPI() {
            var httpConfig = new HttpConfiguration();
            // Configure Web API to use only bearer token authentication.
            httpConfig.SuppressDefaultHostAuthentication();
            httpConfig.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));    
            httpConfig.Formatters.JsonFormatter.SerializerSettings.ContractResolver = new CamelCasePropertyNamesContractResolver();

            // Web API routes
            httpConfig.MapHttpAttributeRoutes();

            httpConfig.Routes.MapHttpRoute(
                 name: "DefaultApi",
                 routeTemplate: "api/{controller}/{id}",
                 defaults: new { id = RouteParameter.Optional }
            );
            return httpConfig;
        }

由于我的 OWIN Cookie 中已经有访问令牌,我想在授权标头到达 API 之前将其添加到授权标头中,从而获得成功的身份验证。

这是我尝试过的

public class CustomAuthorizeAttribute : AuthorizeAttribute {
        protected override bool IsAuthorized(System.Web.Http.Controllers.HttpActionContext actionContext) {
            var cookies = actionContext.Request.Headers.GetCookies(".AspNet.Cookies");
            var cookie = cookies.First().Cookies.FirstOrDefault(c => c.Name == ".AspNet.Cookies");
            if (cookie != null) {               
                var unprotectedTicket = Startup.OAuthOptions.TicketDataFormat.Unprotect(ticket);
                actionContext.Request.Headers.Add("Authorization", string.Format("Bearer {0}", unprotectedTicket.Identity.Claims.First(c => c.Type == "access_token").Value));                  
            }
            return base.IsAuthorized(actionContext);
        }
    }

我什至尝试使用放在app.UseWebApi(ConfigureAPI()); 之后的 OWIN 中间件

public class UseCookieToBearerAuthentication : OwinMiddleware {
        public UseCookieToBearerAuthentication(OwinMiddleware next) : base(next) { }

        public async override Task Invoke(IOwinContext context) {
            //TODO Retrieve cookie name from somewhere like in FormsAuthentication.FormsCookieName          
            var cookies = context.Request.Cookies;
            var cookie = cookies.FirstOrDefault(c => c.Key == ".AspNet.Cookies");
            if (!cookie.Equals(default(KeyValuePair<string, string>))) {
                var ticket = cookie.Value;
                var unprotectedTicket = Startup.OAuthOptions.TicketDataFormat.Unprotect(ticket);
                context.Request.Headers.Add("Authorization", new string[]{
                    string.Format("Bearer {0}", unprotectedTicket.Identity.Claims.First(c => c.Type == "access_token").Value)
                });
            }
            await Next.Invoke(context);
        }
    }

那么,如何根据我的 Owin Cookie 中的访问令牌为我的 web api 实现令牌身份验证?

提前致谢。

【问题讨论】:

    标签: asp.net-web-api owin thinktecture-ident-server bearer-token


    【解决方案1】:

    问题在于 IdentityServerBearerTokenAuthenticationOptions 默认使用 AuthenticationMode = ValidationMode.ValidationEndpoint;,而默认使用 Microsoft.Owin.Security.AuthenticationMode.Active 并且不能被覆盖。

    所以我将 IdentityServerBearerTokenAuthenticationOptions 设置为 ValidationMode = ValidationMode.Local;AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive;,这很好,因为访问令牌是 JWT(自包含)。

    我还使用 OWIN 中间件从请求上的 cookie 中获取访问令牌,并将其设置在自动化标头上。

    public class UseCookieToBearerAuthentication : OwinMiddleware {
            public UseCookieToBearerAuthentication(OwinMiddleware next) : base(next) { }
    
    
    
        public async override Task Invoke(IOwinContext context) {
                    var x = Startup.OAuthOptions.CookieName;
                    var cookieName = string.Format("{0}{1}", CookieAuthenticationDefaults.CookiePrefix, CookieAuthenticationDefaults.AuthenticationType);
                    var cookies = context.Request.Cookies;
                    var cookie = cookies.FirstOrDefault(c => c.Key == ".AspNet.Cookies");
                    if (!cookie.Equals(default(KeyValuePair<string, string>))) {
                        var ticket = cookie.Value;
                        var unprotectedTicket = Startup.OAuthOptions.TicketDataFormat.Unprotect(ticket);
                        context.Request.Headers.Add("Authorization", new string[]{
                            string.Format("Bearer {0}", unprotectedTicket.Identity.Claims.First(c => c.Type == "access_token").Value)
                        });
                    }
                    await Next.Invoke(context);
                }
            }
    

    【讨论】:

    • 我们实际上希望摆脱用于 Web API 的 cookie - 这是一种反模式并且容易受到 CSRF 攻击。如果您绝对想使用 cookie,请使用 Web API 中的 cookie 中间件 - 否则不要使用 cookie 并通过显式身份验证正确执行 - leastprivilege.com/2015/04/01/…
    猜你喜欢
    • 1970-01-01
    • 2020-12-11
    • 2021-12-09
    • 2021-12-23
    • 2019-08-30
    • 1970-01-01
    • 2023-03-05
    • 2020-10-18
    • 2020-06-20
    相关资源
    最近更新 更多