在asp.net vnext上使用bearer token身份验证刷新令牌
发布时间:2020-12-16 09:55:43 所属栏目:asp.Net 来源:网络整理
导读:我有一个使用asp.net vnext的angularJS应用程序,它使用JwtBearerAuthentication进行身份验证.要对应用程序进行身份验证,我使用 AspNet.Security.OpenIdConnect.Server.当我登录时,我收到一个json响应,其中包含我可以用于授权请求的access_token.我想,也要收
|
我有一个使用asp.net vnext的angularJS应用程序,它使用JwtBearerAuthentication进行身份验证.要对应用程序进行身份验证,我使用
AspNet.Security.OpenIdConnect.Server.当我登录时,我收到一个json响应,其中包含我可以用于授权请求的access_token.我想,也要收到刷新令牌.这怎么可能?
Startup.cs public void Configure(IApplicationBuilder app) {
app.UseJwtBearerAuthentication(options => {
options.AutomaticAuthenticate = true;
options.AutomaticChallenge = true;
options.TokenValidationParameters.ValidateAudience = false;
options.Authority = Configuration.Get<string>("OAuth:Authority");
options.ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
metadataAddress: options.Authority + ".well-known/openid-configuration",configRetriever: new OpenIdConnectConfigurationRetriever(),docRetriever: new HttpDocumentRetriever() { RequireHttps = false });
});
app.USEOpenIdConnectServer(configuration => {
configuration.Issuer = new Uri(Configuration.Get<string>("OpenId:Issuer"));
configuration.AllowInsecureHttp = true;
configuration.AuthorizationEndpointPath = PathString.Empty;
configuration.AuthenticationScheme = OpenIdConnectServerDefaults.AuthenticationScheme;
configuration.Provider = new AuthorizationProvider();
});
}
AuthorizationProvider.cs public class AuthorizationProvider : OpenIdConnectServerProvider {
public override Task ValidateClientAuthentication(ValidateClientAuthenticationContext context) {
context.Skipped();
return Task.FromResult<object>(null);
}
public override Task GrantResourceOwnerCredentials(GrantResourceOwnerCredentialsContext context) {
string username = context.UserName;
string password = context.Password;
UserManager<ApplicationUser> userManager = context.HttpContext.RequestServices.GetRequiredService<UserManager<ApplicationUser>>();
ApplicationUser user = userManager.FindByNameAsync(username).Result;
if (userManager.CheckPasswordAsync(user,password).Result) {
ClaimsIdentity identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
identity.AddClaim(ClaimTypes.Name,username,"token id_token");
List<string> roles = userManager.GetRolesAsync(user).Result.ToList();
foreach (string role in roles) {
identity.AddClaim(ClaimTypes.Role,role,"token id_token");
}
ClaimsPrincipal principal = new ClaimsPrincipal(identity);
context.Validated(principal);
} else {
context.Rejected("invalid credentials");
}
return Task.FromResult<object>(null);
}
}
AngularJS登录代码 $http({
method: 'POST',url: 'connect/token',headers: {
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8'
},data: $.param({
grant_type: 'password',username: email,password: password
})
}).then(function (response) {
if (response.status == 200) {
var token = response.data.access_token;
localStorage.setItem('token',token);
}
});
解决方法
与OAuthAuthorizationServerMiddleware不同,ASOS提供对刷新令牌的内置支持:您不必为此创建自己的令牌提供程序.
请注意,从ASOS beta3开始(2015年10月发布),您现在必须要求并授予offline_access范围以检索刷新令牌,as recommended by the OpenID Connect specs:https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/issues/128 您需要更新GrantResourceOwnerCredentials以允许ASOS向您的客户端应用程序发出刷新令牌: public override async Task GrantResourceOwnerCredentials(GrantResourceOwnerCredentialsContext context) {
string username = context.UserName;
string password = context.Password;
UserManager<ApplicationUser> userManager = context.HttpContext.RequestServices.GetRequiredService<UserManager<ApplicationUser>>();
ApplicationUser user = await userManager.FindByNameAsync(username);
if (await userManager.CheckPasswordAsync(user,password)) {
ClaimsIdentity identity = new ClaimsIdentity(
context.Options.AuthenticationScheme);
identity.AddClaim(ClaimTypes.Name,OpenIdConnectConstants.Destinations.AccessToken,OpenIdConnectConstants.Destinations.IdentityToken);
foreach (string role in await userManager.GetRolesAsync(user)) {
identity.AddClaim(ClaimTypes.Role,OpenIdConnectConstants.Destinations.IdentityToken);
}
AuthenticationTicket ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),new AuthenticationProperties(),context.Options.AuthenticationScheme);
// Call SetResources with the list of resource servers
// the access token should be issued for.
ticket.SetResources("resource_server_1");
// Only grant the "offline_access" scope
// if it was requested by the client application:
List<string> scopes = new List<string>();
if (context.Request.HasScope("offline_access")) {
scopes.Add("offline_access");
}
// Call SetScopes with the list of scopes you want to grant.
ticket.SetScopes(scopes);
context.Validate(ticket);
} else {
context.Reject("invalid credentials");
}
return Task.FromResult(0);
}
…以及用于指定范围参数的Angular代码: $http({
method: 'POST',password: password,scope: 'offline_access'
})
}).then(function (response) {
if (response.status == 200) {
var token = response.data.access_token;
var refreshToken = response.data.refresh_token;
localStorage.setItem('token',token);
localStorage.setItem('refresh_token',refreshToken);
}
});
要检索新的访问令牌,请使用refresh_token grant: $http({
method: 'POST',data: $.param({
grant_type: 'refresh_token',refresh_token: refreshToken
})
}).then(function (response) {
if (response.status == 200) {
var token = response.data.access_token;
localStorage.setItem('token',token);
}
});
(编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
相关内容
- asp.net-mvc-2 – 在IIS 7.5上启用html PUT方法
- asp.net-mvc – 在HtmlHelper扩展方法中访问HtmlHelper方法
- asp.net – 无法加载文件或程序集“Microsoft.SqlServer.DT
- ASP.NET Core知多少(7):对重复编译说NO -- dotnet watch
- .net – 任何具有Postsharp生产经验的人?
- asp.net – 我可以在html源代码中看到ViewStateUserKey吗?
- asp.net-mvc – MVC – 索引视图溢出
- asp.net – IIS工作进程使用大量的内存?
- asp.net – 有没有理由不接受数据库引擎优化顾问的建议?
- asp.net-mvc-4 – 编辑视图中多选列表框的超级简单实现
推荐文章
站长推荐
热点阅读