如何将承载令牌与MVC 6 API一起使用?

时间:2015-02-13 21:59:44

标签: asp.net-identity asp.net-core asp.net-core-mvc bearer-token

我正在处理一些MVC 6和ASP.NET 5示例,我在查找有关使用承载令牌来保护API的任何有价值的文档时遇到了问题。我能够使这些样本与VS 2013,MVC 5一起工作,但我无法将这些示例移植到VS 2015和MVC 6.有没有人知道在MVC 6中实现承载令牌的任何好样本以保护API? / p>

3 个答案:

答案 0 :(得分:2)

为了使用承载令牌验证请求,您可以下拉Microsoft.AspNet.Security.OAuthBearer包。然后,您可以使用OAuthBearerAuthenticationMiddleware扩展方法将UseOAuthBearerAuthentication中间件添加到管道中。

示例:

public void Configure(IApplicationBuilder app)
{

    // ...

    app.UseOAuthBearerAuthentication(options =>
    {
        options.Audience = "Redplace-With-Real-Audience-Info";
        options.Authority = "Redplace-With-Real-Authority-Info";
    });
}

另外,请查看WebApp-WebAPI-OpenIdConnect-AspNet5示例。

答案 1 :(得分:2)

Asp.Net Core中没有生成承载令牌的中间件。您可以创建own solution或实施一些基于社区的方法,例如

答案 2 :(得分:0)

我使用MVC 6,OpenId和Aurelia前端框架实现了基于令牌的身份验证实现的单页面应用程序。 在Startup.cs中,Configure方法如下所示:

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{


    app.UseIISPlatformHandler();

    // Add a new middleware validating access tokens.
    app.UseJwtBearerAuthentication(options => {
        // Automatic authentication must be enabled
        // for SignalR to receive the access token.
        options.AutomaticAuthenticate = true;

        // Automatically disable the HTTPS requirement for development scenarios.
        options.RequireHttpsMetadata = !env.IsDevelopment();

        // Note: the audience must correspond to the address of the SignalR server.
        options.Audience = clientUri;

        // Note: the authority must match the address of the identity server.
        options.Authority = serverUri;

    });

    // Add a new middleware issuing access tokens.
    app.UseOpenIdConnectServer(options => {
        options.Provider = new AuthenticationProvider();
    });

    app.UseIISPlatformHandler(options => options.AuthenticationDescriptions.Clear());

    app.UseStaticFiles();

    app.UseMvc(routes =>
    {
        routes.MapRoute(
            name: "default",
            template: "{controller=Home}/{action=Index}/{id?}");
    });
}

身份验证提供程序的定义如下:

public class AuthenticationProvider : OpenIdConnectServerProvider
    {
        public override Task ValidateClientAuthentication(ValidateClientAuthenticationContext context)
        {
            if (context.ClientId == "AureliaNetAuthApp")
            {
                // Note: the context is marked as skipped instead of validated because the client
                // is not trusted (JavaScript applications cannot keep their credentials secret).
                context.Skipped();
            }

            else {
                // If the client_id doesn't correspond to the
                // intended identifier, reject the request.
                context.Rejected();
            }

            return Task.FromResult(0);
        }

        public override Task GrantResourceOwnerCredentials(GrantResourceOwnerCredentialsContext context)
        {
            var user = new { Id = "users-123", Email = "alex@123.com", Password = "AureliaNetAuth" };

            if (context.UserName != user.Email || context.Password != user.Password)
            {
                context.Rejected("Invalid username or password.");

                return Task.FromResult(0);
            }

            var identity = new ClaimsIdentity(OpenIdConnectDefaults.AuthenticationScheme);
            identity.AddClaim(ClaimTypes.NameIdentifier, user.Id, "id_token token");
            identity.AddClaim(ClaimTypes.Name, user.Email, "id_token token");

            context.Validated(new ClaimsPrincipal(identity));

            return Task.FromResult(0);
        }
    }

这定义了一个令牌端点,可以通过URL /connect/token到达。

所以要从客户端请求令牌,这里是javascript代码,取自authSvc.js中的AuthService

login(username, password) {
    var baseUrl = yourBaseUrl;

    var data = "client_id=" + yourAppClientId
               + "&grant_type=password"
               + "&username=" + username
               + "&password=" + password
               + "&resource=" + encodeURIComponent(baseUrl);

    return this.http.fetch(baseUrl + 'connect/token', {
        method: 'post',
        body : data
    });
}

这里可以看到完整的消息来源:

https://github.com/alexandre-spieser/AureliaAspNetCoreAuth

希望这有帮助,

最佳,

亚历