asp.net – 为什么context.Request.Context.Authentication.Sign

现在我们要实现身份验证cookie以保护服务器上的静态资源.我确信还有其他百万种方法可以做到这一点,但是对资源的请求是直接链接到该资源的链接,所以我不能使用我的OAuth令牌或任何其他机制,这就是我们想要使用cookie的原因……浏览器已经发送它们,无需更改任何内容.

从我读过的所有内容中,可以使用OWIN管道进行承载令牌认证和Cookie认证.基本上,Web API将使用承载令牌,因为所有客户端都将提供,并且对服务器上的某些静态资源的请求将使用在所有请求上发送的Cookie.

我们的问题是,使用下面的代码永远不会生成auth cookie.在整个管道中,我从未在响应中看到set-cookie标头,这就是为什么我将Kentor Cookie Saver添加到管道中…它应该有所帮助.

WebApiConfig.cs

...
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
...

Startup.Auth.cs

...
app.USEOAuthBearerTokens(OAuthOptions);
// I was told this might help with my cookie problem...something to do with System.Web stripping Set-Cookie headers
app.UseKentorOwinCookieSaver();
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
  AuthenticationType = Microsoft.Owin.Security.Cookies.CookieAuthenticationDefaults.AuthenticationType,AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,ExpireTimeSpan = TimeSpan.FromHours(4)
});
...

自定义OAuth提供程序

...
// Creates our claims and properties...keep in mind that token based authentication is working
CreatePropertiesAndClaims(acct,out properties,out claims);
if (IsAccountAuthorized(claims))
{
  AuthenticationProperties authProps = new AuthenticationProperties(properties);
  ClaimsIdentity claimsIdentity = new ClaimsIdentity(context.Options.AuthenticationType);
  claimsIdentity.AddClaims(claims);

  AuthenticationTicket ticket = new AuthenticationTicket(claimsIdentity,authProps);
  context.Validated(ticket);

  ClaimsIdentity cookieIdentity = new ClaimsIdentity(claims,Microsoft.Owin.Security.Cookies.CookieAuthenticationDefaults.AuthenticationType);
  context.Request.Context.Authentication.SignIn(cookieIdentity);    // This should create the auth cookie!??!
}
else
{
  context.SetError("Unauthorized","You don't currently have authorization. Please contact support.");
}
...

请记住,基于令牌的身份验证正在运行,因此我假设它是配置设置丢失或配置错误,或者是管道排序问题.

谢谢！