WebApi ASP.NET身份Facebook登录
在用于asp.net身份的facebook身份验证流程中,facebook oath对话框将一个代码而不是访问令牌附加到redirect_url,以便服务器可以通过http:// localhost:49164 / signin-facebook交换此代码作为访问令牌。 code = …& state = ….
我的问题是,我的客户是一个移动应用程序使用的facebook sdk,直接给我一个访问令牌。 Facebook说使用sdk总是给你一个访问令牌,所以我可以直接给web API访问令牌。我明白这不是很安全,但它是可能的? 解决方法
我不知道你是否终于找到了解决方案,但我想做一些很相似的事情,我仍然把拼图的部分放在一起。
我试图张贴这作为一个评论,而不是一个答案,因为我不提供一个真正的解决方案,但它太长。 显然,所有WebAPI Owin OAuth选项都是基于浏览器的,也就是说他们需要大量的浏览器重定向请求,不适合本地移动应用程序(我的情况)。 通过使用图形调用返回的信息,您可以检查用户是否已经注册。 编辑: 更新: public partial class Startup { /// <summary> /// This part has been added to have an API endpoint to authenticate users that accept a Facebook access token /// </summary> static Startup() { PublicClientId = "self"; //UserManagerFactory = () => new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext())); UserManagerFactory = () => { var userManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext())); userManager.UserValidator = new UserValidator<ApplicationUser>(userManager) { AllowOnlyAlphanumericUserNames = false }; return userManager; }; OAuthOptions = new OAuthAuthorizationServerOptions { TokenEndpointPath = new PathString("/Token"),Provider = new ApplicationOAuthProvider(PublicClientId,UserManagerFactory),AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),AllowInsecureHttp = true }; OAuthBearerOptions = new OAuthBearerAuthenticationOptions(); OAuthBearerOptions.AccessTokenFormat = OAuthOptions.AccessTokenFormat; OAuthBearerOptions.AccessTokenProvider = OAuthOptions.AccessTokenProvider; OAuthBearerOptions.AuthenticationMode = OAuthOptions.AuthenticationMode; OAuthBearerOptions.AuthenticationType = OAuthOptions.AuthenticationType; OAuthBearerOptions.Description = OAuthOptions.Description; OAuthBearerOptions.Provider = new CustomBearerAuthenticationProvider(); OAuthBearerOptions.SystemClock = OAuthOptions.SystemClock; } public static OAuthBearerAuthenticationOptions OAuthBearerOptions { get; private set; } public static OAuthAuthorizationServerOptions OAuthOptions { get; private set; } public static Func<UserManager<ApplicationUser>> UserManagerFactory { get; set; } public static string PublicClientId { get; private set; } // For more information on configuring authentication,please visit http://go.microsoft.com/fwlink/?LinkId=301864 public void ConfigureAuth(IAppBuilder app) { [Initial boilerplate code] OAuthBearerAuthenticationExtensions.USEOAuthBearerAuthentication(app,OAuthBearerOptions); [More boilerplate code] } } public class CustomBearerAuthenticationProvider : OAuthBearerAuthenticationProvider { public override Task ValidateIdentity(OAuthValidateIdentityContext context) { var claims = context.Ticket.Identity.Claims; if (claims.Count() == 0 || claims.Any(claim => claim.Issuer != "Facebook" && claim.Issuer != "LOCAL_AUTHORITY" )) context.Rejected(); return Task.FromResult<object>(null); } } 进入AccountController,我添加了以下操作 [HttpPost] [AllowAnonymous] [Route("FacebookLogin")] public async Task<IHttpActionResult> FacebookLogin(string token) { [Code to validate input...] var tokenExpirationTimeSpan = TimeSpan.FromDays(14); ApplicationUser user = null; // Get the fb access token and make a graph call to the /me endpoint // Check if the user is already registered // If yes retrieve the user // If not,register it // Finally sign-in the user: this is the key part of the code that creates the bearer token and authenticate the user var identity = new ClaimsIdentity(Startup.OAuthBearerOptions.AuthenticationType); identity.AddClaim(new Claim(ClaimTypes.Name,user.Id,null,"Facebook")); // This claim is used to correctly populate user id identity.AddClaim(new Claim(ClaimTypes.NameIdentifier,"LOCAL_AUTHORITY")); AuthenticationTicket ticket = new AuthenticationTicket(identity,new AuthenticationProperties()); var currentUtc = new Microsoft.Owin.Infrastructure.SystemClock().UtcNow; ticket.Properties.IssuedUtc = currentUtc; ticket.Properties.ExpiresUtc = currentUtc.Add(tokenExpirationTimeSpan); var accesstoken = Startup.OAuthBearerOptions.AccessTokenFormat.Protect(ticket); Authentication.SignIn(identity); // Create the response JObject blob = new JObject( new JProperty("userName",user.UserName),new JProperty("access_token",accesstoken),new JProperty("token_type","bearer"),new JProperty("expires_in",tokenExpirationTimeSpan.TotalSeconds.ToString()),new JProperty(".issued",ticket.Properties.IssuedUtc.ToString()),new JProperty(".expires",ticket.Properties.ExpiresUtc.ToString()) ); var json = Newtonsoft.Json.JsonConvert.SerializeObject(blob); // Return OK return Ok(blob); } 而已。我发现与经典/令牌端点响应的唯一的区别是承载令牌稍短,过期和发布日期在UTC,而不是在GMT(至少在我的机器上)。 我希望这有帮助! (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
- asp.net-mvc – Unity PerRequestLifetimeManager在不同请求
- asp.net简单生成XML文件的方法
- asp.net-mvc – 具有WebApi和Controller路由的Url.Action
- asp.net – 如何防止Entity Framework将FileStream列加载到
- SignalR的简单实现消息广播
- 折腾词库,一个词库互转程序
- asp.net-core – 使用asp.net核心发布视图
- asp.net – 超过了JavaScriptSerializer.MaxJsonLength.处理
- asp.net-mvc – 将ASP.NET MVC应用程序与Entity Framework分
- 通过经过身份验证的Webforms保护ASP.net中的Ajax请求
- asp.net-mvc – 在IIS 6上托管ASP.NET MVC时是否
- asp.net – 将提交请求提交到aspx页面
- asp.net-mvc – 如何在ASP.net MVC中正确测试具有
- asp.net-mvc-4 – SimpleMembership – 向UserPr
- .NET Core技术研究-通过Roslyn代码分析技术规范提
- asp.net – 在谷歌地图和谷歌地球之间切换
- .net – 如何在请求标头上调用需要承载令牌的NSw
- asp.net-core – 在VS 2015 RC中,编译保存不适用
- 【开源小软件 】Bing每日壁纸 V1.2.1
- asp.net – 根据电子邮件地址将OAuth帐户与现有帐