使用自定义验证的Web API 2 OAuth Bearer令牌

Question

使用自定义验证的Web API 2 OAuth Bearer令牌

authenticationoauth-2.0asp.net-web-api2

4

我对我的C# Web API 2服务有以下要求：

该服务通过电子邮件和临时验证码的组合来验证用户，作为身份验证因素。

我需要将此身份验证机制与生成OAuth令牌相结合，以保护服务并使用标准ASP.NET授权机制通过某种[Authorize]属性检查每个请求的令牌。

我已经成功实现了以下步骤：

1. 用户请求验证码 2. 系统生成并通过电子邮件向用户发送30天有效期的验证码 3. 用户使用电子邮件+验证码进行身份验证 4. 系统检查验证码的有效性

但我不确定如何开始实施剩余的步骤：

5. 如果验证码有效，则系统生成OAuth令牌 6. OAuth令牌的持续时间与验证码到期日期一样长 7. 使用ASP.NET Identity授权属性执行身份验证和授权检查 8. 使用OWIN安全和OAuth中间件创建令牌 9. 使用基于声明的授权并将声明序列化为令牌

引用的过程仅描述了使用ASP.NET Identity个人用户帐户作为身份验证手段，这不是我想要的身份验证方式。

http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api

我实际上需要通过检查电子邮件和验证码来进行身份验证。

- puri

1个回答

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- Julian Corrêa · Accepted Answer

我曾经在类似的情况下工作，并实现了一个身份验证过滤器 (IAuthenticationFilter) 和一个继承自 OAuthAuthorizationServerProvider 的自定义类。在我的情况下，我需要使用 OAuth 和旧令牌对请求进行身份验证。我相信在你的情况下，你需要自定义 AuthenticationFilter。以下是 AuthenticationFilter 的示例：

public class MyAuthenticationFilter : IAuthenticationFilter
{
    private readonly string _authenticationType;

    /// <summary>Initializes a new instance of the <see cref="HostAuthenticationFilter"/> class.</summary>
    /// <param name="authenticationType">The authentication type of the OWIN middleware to use.</param>
    public MyAuthenticationFilter(string authenticationType)
    {
        if (authenticationType == null)
        {
            throw new ArgumentNullException("authenticationType");
        }

        _authenticationType = authenticationType;
    }

    /// <summary>Gets the authentication type of the OWIN middleware to use.</summary>
    public string AuthenticationType
    {
        get { return _authenticationType; }
    }

    /// <inheritdoc />
    public async Task AuthenticateAsync(HttpAuthenticationContext context, CancellationToken cancellationToken)
    {
        if (context == null)
        {
            throw new ArgumentNullException("context");
        }

        HttpRequestMessage request = context.Request;

        if (request == null)
        {
            throw new InvalidOperationException("Request mut not be null");
        }


        //In my case, i need try autenticate the request with BEARER token (Oauth)
        IAuthenticationManager authenticationManager = GetAuthenticationManagerOrThrow(request);

        cancellationToken.ThrowIfCancellationRequested();
        AuthenticateResult result = await authenticationManager.AuthenticateAsync(_authenticationType);
        ClaimsIdentity identity = null;

        if (result != null)
        {
            identity = result.Identity;

            if (identity != null)
            {
                context.Principal = new ClaimsPrincipal(identity);
            }
        }
        else
        {
            //If havent success with oauth authentication, I need locate the legacy token
//If dont exists the legacy token, set error (will generate http 401)
            if (!request.Headers.Contains("legacy-token-header"))
                context.ErrorResult = new AuthenticationFailureResult(Resources.SAUTH_ERROR_LEGACYTOKENNOTFOUND, request);
            else
            {
                try
                {
                    var queryString = request.GetQueryNameValuePairs();
                    if (!queryString.Any(x => x.Key == "l"))
                        context.ErrorResult = new AuthenticationFailureResult(Resources.SAUTH_ERROR_USERTYPENOTFOUND, request);
                    else
                    {
                        var userType = queryString.First(x => x.Key == "l").Value;
                        String token = HttpUtility.UrlDecode(request.Headers.GetValues("tk").First());

                        identity = TokenLegacy.ValidateToken(token, userType);
                        identity.AddClaims(userType, (OwinRequest) ((OwinContext)context.Request.Properties["MS_OwinContext"]).Request);
                        if (identity != null)
                        {
                            context.Principal = new ClaimsPrincipal(identity);
                        }
                    }

                }
                catch (Exception e)
                {
                    context.ErrorResult = new AuthenticationFailureResult(e.Message, request);
                }
            }
        }
    }


    /// <inheritdoc />
    public Task ChallengeAsync(HttpAuthenticationChallengeContext context, CancellationToken cancellationToken)
    {
        if (context == null)
        {
            throw new ArgumentNullException("context");
        }

        HttpRequestMessage request = context.Request;

        if (request == null)
        {
            throw new InvalidOperationException("Request mut not be null");
        }

        IAuthenticationManager authenticationManager = GetAuthenticationManagerOrThrow(request);

        // Control the challenges that OWIN middleware adds later.
        authenticationManager.AuthenticationResponseChallenge = AddChallengeAuthenticationType(
            authenticationManager.AuthenticationResponseChallenge, _authenticationType);

        return TaskHelpers.Completed();
    }

    /// <inheritdoc />
    public bool AllowMultiple
    {
        get { return true; }
    }

    private static AuthenticationResponseChallenge AddChallengeAuthenticationType(
        AuthenticationResponseChallenge challenge, string authenticationType)
    {
        Contract.Assert(authenticationType != null);

        List<string> authenticationTypes = new List<string>();
        AuthenticationProperties properties;

        if (challenge != null)
        {
            string[] currentAuthenticationTypes = challenge.AuthenticationTypes;

            if (currentAuthenticationTypes != null)
            {
                authenticationTypes.AddRange(currentAuthenticationTypes);
            }

            properties = challenge.Properties;
        }
        else
        {
            properties = new AuthenticationProperties();
        }

        authenticationTypes.Add(authenticationType);

        return new AuthenticationResponseChallenge(authenticationTypes.ToArray(), properties);
    }

    private static IAuthenticationManager GetAuthenticationManagerOrThrow(HttpRequestMessage request)
    {
        Contract.Assert(request != null);

        var owinCtx = request.GetOwinContext();
        IAuthenticationManager authenticationManager = owinCtx != null ? owinCtx.Authentication : null;

        if (authenticationManager == null)
        {
            throw new InvalidOperationException("IAuthenticationManagerNotAvailable");
        }

        return authenticationManager;
    }
}

在WebApiConfig.cs中，您需要添加以下身份验证过滤器：

public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {
        // Web API configuration and services
        // Configure Web API to use only bearer token authentication.
        config.SuppressDefaultHostAuthentication();

        config.Filters.Add(new MyAuthenticationFilter(OAuthDefaults.AuthenticationType));
     }
}

我建议阅读官方WEB API海报：

https://www.asp.net/media/4071077/aspnet-web-api-poster.pdf