Question

我正在尝试使用支持资源所有者密码凭据流的自定义OAuth2授权服务器。授权服务器是IIS7.5中托管的WebAPI应用程序。

我已经配置了启动类，我注册了自定义OAuthServerProvider（AtcAuthorizationServerProvider）。

[assembly: OwinStartup(typeof(ATC.WebApi.AuthorizationServer.Startup))]

namespace ATC.WebApi.AuthorizationServer
{
    public class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            ConfigureOAuth(app);

            HttpConfiguration config = new HttpConfiguration();
            WebApiConfig.Register(config);
            app.UseWebApi(config);

            app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
        }

        public void ConfigureOAuth(IAppBuilder app)
        {
            OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
            {
                AllowInsecureHttp = true,
                TokenEndpointPath = new PathString("/token"),
                AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(30),
                Provider = new AtcAuthorizationServerProvider(),
                RefreshTokenProvider = new AtcRefreshTokenProvider(),
                AuthenticationMode = AuthenticationMode.Passive
            };

            // Token Generation
            app.UseOAuthAuthorizationServer(OAuthServerOptions);
            app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions(){});
        }
    }
}

在我的自定义提供程序类中，我重写了ValidateClientAuthentication（）函数，我接受两种客户端凭据接收方式（在Body和Authorization标头中）。

public class AtcAuthorizationServerProvider : OAuthAuthorizationServerProvider
    {
        public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
        {
            string clientId = string.Empty;
            string clientSecret = string.Empty;

            // get client credentials from header or from body
            if (!context.TryGetBasicCredentials(out clientId, out clientSecret))
            {
                context.TryGetFormCredentials(out clientId, out clientSecret);
            }
//rest of code

当我在body中发送client_id和client_secret时，一切正常。

POST /ATC.WebApi.AuthorizationServer/token HTTP/1.1
Host: localhost
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache

grant_type=password&password=123456&username=myUser&client_id=myClient&client_secret=123%40abc

我成功获得了访问令牌。

{
  "access_token": "3Fk_Ps10i45uL0zeCzIpvEh2WHKE8iJVNtKJ2XGWcQWXsT9jllKf...",
  "token_type": "bearer",
  "expires_in": 1799,
  "refresh_token": "4c1097d17dd14df5ac1c5842e089a88e",
  "as:client_id": "myClient"
}

但是，如果我使用在Authorization标头中传递client_id和client_secret的DotNetOpenAuth.OAuth2.WebServerClient，我将收到 401.1 - 未经授权的 HTTP响应。我发现不会触发ValidateClientAuthentication（）。

请求比看起来像这样：

POST /ATC.WebApi.AuthorizationServer/token HTTP/1.1
Host: localhost
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Basic C16b34lUjEyM0BhYmM=
Cache-Control: no-cache

grant_type=password&password=123456&username=myUser

问题是如何说服OWIN中间件在这种情况下解雇我的自定义提供程序？

Answer 1

嗯，我终于找到了麻烦的地方。我的IIS中允许进行基本身份验证，因此IIS收到请求并尝试验证用户失败并且IIS立即返回401 Unauthorized。所以我的OWIN中间件甚至没有收到处理请求。

自定义OAuth2服务器返回401 - Unathorized

1 个答案: