【问题标题】:WebForm replace OAUTH2 implicit flow with Authorization CodeWebForm 用授权码替换 OAUTH2 隐式流
【发布时间】:2023-04-11 00:00:01
【问题描述】:

我想知道 ASP.NET 4.7 WebForm 应用程序是否可以使用带有代码交换证明密钥 (PKCE) 的授权代码流的 OAUTH 身份验证,以便不在客户端公开令牌。

这是目前在 Startup.Auth.cs 类中使用的代码:

using System;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using Microsoft.Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using Microsoft.IdentityModel.Tokens;
using Microsoft.Owin.Security.OpenIdConnect;
using Microsoft.Owin.Security.Notifications;
using Owin;
using System.Threading.Tasks;
using System.Web;

public partial class Startup 
{
    string clientId = System.Configuration.ConfigurationManager.AppSettings["ClientId"];
    string redirectUri = System.Configuration.ConfigurationManager.AppSettings["RedirectUri"];
    static string tenant = System.Configuration.ConfigurationManager.AppSettings["Tenant"];
    string authority = String.Format(System.Globalization.CultureInfo.InvariantCulture, System.Configuration.ConfigurationManager.AppSettings["Authority"], tenant);


    public void ConfigureAuth(IAppBuilder app)
    {
        var provider = new CookieAuthenticationProvider();
        provider.OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, User>(
                            validateInterval: TimeSpan.FromMinutes(60),
                            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager));



        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        //Workaround for Katana bug #197
        app.UseKentorOwinCookieSaver();
        //******************************
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
            SlidingExpiration = true,
            ExpireTimeSpan = TimeSpan.FromMinutes(60),
            LoginPath = new PathString("/Account/Login"),
            CookieSecure = CookieSecureOption.Always,
            Provider = provider
        });
        app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);


        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions());
        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
            // Sets the ClientId, authority, RedirectUri as obtained from web.config
            ClientId = clientId,
                Authority = authority,
                RedirectUri = redirectUri,
                AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive,
            PostLogoutRedirectUri = redirectUri,
                Scope = OpenIdConnectScope.OpenIdProfile,
            ResponseType = OpenIdConnectResponseType.IdToken,
            TokenValidationParameters = new TokenValidationParameters()
                {
                    ValidateIssuer = false
                },
            Notifications = new OpenIdConnectAuthenticationNotifications
                {

                AuthenticationFailed = OnAuthenticationFailed,
                    AuthorizationCodeReceived = (context) =>
                    {
                        return Task.FromResult(0);
                    },
                    SecurityTokenValidated = (context) =>
                    {
                        return Task.FromResult(0);
                    },
                    SecurityTokenReceived = (context) =>
                    {
                        return Task.FromResult(0);
                    }
                }
            }
        );
    }
    ...
}

有没有办法做到这一点,或者可能没有必要,因为“授权码”流程仅在单页应用程序中提高了安全性?

参考:https://auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use

【问题讨论】:

    标签: c# asp.net oauth-2.0 asp.net-identity


    【解决方案1】:

    应该可以正常工作 - 流程由 response_type 字段确定:

    • 隐式流将使用“token”或“token id_token”——看起来您并没有使用它。建议避免包含令牌,因为这会在 URL 中返回令牌并且它们可能会泄漏

    • 通过“代码”使用代码流 - 尽管我相信 MS 库可能会要求您使用“代码 id_token”的混合流。两者都是安全设计。

    单页应用程序需要 PKCE,因为它们不能存储客户端密码。对于您的服务器端应用程序,它不太重要,因为秘密不会向浏览器透露。我认为那些 MS 服务器端库不支持 PKCE。

    【讨论】:

      猜你喜欢
      • 2018-11-04
      • 2019-12-31
      • 1970-01-01
      • 2018-10-02
      • 1970-01-01
      • 2016-05-24
      • 1970-01-01
      • 1970-01-01
      • 2021-12-22
      相关资源
      最近更新 更多