logo标签列表

如何使用刷新令牌更新访问令牌?

c#oauth-2.0asp.net-mvc-5google-oauthowin
15

我正在使用ASP.NET MVC 5OWIN

我已经做了很多研究,但没有找到如何使用刷新令牌更新访问令牌的方法。

我的场景是:当用户第一次访问我的应用程序时,他或她授权我读取API返回的刷新令牌。当用户再次访问我的应用程序时,我需要根据“刷新令牌”刷新访问令牌。

是否有人能提供一些代码?

以下是我目前所实现的内容:

Startup.Auth.cs:

    var googleOAuth2AuthenticationOptions = new GoogleOAuth2AuthenticationOptions
    {
        Caption = "Google+",
        ClientId = Parameters.Instance.Authentication.oAuth.GooglePlus.ClientId,
        ClientSecret = Parameters.Instance.Authentication.oAuth.GooglePlus.ClientSecret,
        CallbackPath = new PathString("/oauth-login-return"),
        Provider = new GoogleOAuth2AuthenticationProvider
        {
            OnAuthenticated = async context =>
            {
                context.Identity.AddClaim(new Claim(ClaimTypes.Name, context.Identity.FindFirstValue(ClaimTypes.Name)));
                context.Identity.AddClaim(new Claim(ClaimTypes.Email, context.Identity.FindFirstValue(ClaimTypes.Email)));
                context.Identity.AddClaim(new Claim("picture", context.User.GetValue("picture").ToString()));
                context.Identity.AddClaim(new Claim("profile", context.User.GetValue("profile").ToString()));
                context.Identity.AddClaim(
                    new Claim(Parameters.Instance.Authentication.oAuth.GooglePlus.AccessTokenClaimType,
                        context.AccessToken));
            }
        }
    };
    googleOAuth2AuthenticationOptions.Scope.Add("https://www.googleapis.com/auth/plus.login");
    googleOAuth2AuthenticationOptions.Scope.Add("https://www.googleapis.com/auth/userinfo.email");

认证控制器:

[HttpPost]
[AllowAnonymous]
public ActionResult ExternalLogin(string provider, string returnUrl)
{
    RedirectIfAuthenticated();

    return new ChallengeResult(provider, Url.Content("~/oauth-login-callback"));
}

[ActionName("oauth-login-back")]
public async Task<ActionResult> ExternalLoginCallback(string returnUrl)
{
}

// Used for XSRF protection when adding external logins
private const string XsrfKey = "XsrfId";

private IAuthenticationManager AuthenticationManager
{
    get
    {
        return HttpContext.GetOwinContext().Authentication;
    }
}

private class ChallengeResult : HttpUnauthorizedResult
{
    public ChallengeResult(string provider, string redirectUri)
        : this(provider, redirectUri, null)
    {
    }

    private ChallengeResult(string provider, string redirectUri, string userId)
    {
        LoginProvider = provider;
        RedirectUri = redirectUri;
        UserId = userId;
    }

    private string LoginProvider { get; set; }

    private string RedirectUri { get; set; }

    private string UserId { get; set; }

    public override void ExecuteResult(ControllerContext context)
    {
        var properties = new AuthenticationProperties { RedirectUri = RedirectUri };
        if (UserId != null)
        {
            properties.Dictionary[XsrfKey] = UserId;
        }
        context.HttpContext.GetOwinContext().Authentication.Challenge(properties, LoginProvider);
    }
}
你是如何获取OAuth Bearer令牌的? - Erik Philips
@ErikPhilips 我插入了一些代码摘录,请检查一下。 - Marco Alves
可能是OWIN安全性 - 如何实现OAuth2刷新令牌的重复问题。 - Erik Philips
1
@erikphilips 抱歉,Erik,但是我在阅读了那个链接之后还是没有理解重点。我是否应该构建一个OAuth身份验证提供程序,而我正在使用OWIN GOOGLE?谢谢。 - Marco Alves
1
@ErikPhilips 请检查我的答案。 - Marco Alves
2个回答
25

这个问题绝对不是重复的。我希望这能帮助其他人不要像我一样浪费几天时间。

经过将近4天的努力,我找到了如何在使用OWIN时获取Google API的新访问令牌。

我将发布解决方案,但首先,我必须说的是,帮助我开始理解错误的是设置Katana项目的调试符号。请参阅此链接: http://www.symbolsource.org/Public/Home/VisualStudio

这张图片展示了如何配置调试符号服务器。 enter image description here

而这张图片则显示了加载了Katana调试符号。 enter image description here

之后,我发现我的问题是Google API返回了403:禁止访问

"未启用访问权限。请使用Google Developers控制台为您的项目激活API"

随后,在stackoverflow上找到了这篇文章: "Access Not Configured. Please use Google Developers Console to activate the API for your project."

更具体地说,是这篇回答:https://dev59.com/1mEi5IYBdhLWcg3wueN0#24401189

之后,我进入Google Developers控制台并设置了Google+ API

然后,瞧!它起作用了。

现在,这里是获取新访问令牌的代码(我没有找到使用OWIN API实现它的方法)。

public static class TokenValidator
{
    /// <summary>
    /// Obtém um novo access token na API do google.
    /// </summary>
    /// <param name="clientId"></param>
    /// <param name="clientSecret"></param>
    /// <param name="refreshToken"></param>
    /// <returns></returns>
    public static GoogleRefreshTokenModel ValidateGoogleToken(string clientId, string clientSecret, string refreshToken)
    {
        const string url = "https://accounts.google.com/o/oauth2/token";

        var parameters = new List<KeyValuePair<string, string>>
        {
            new KeyValuePair<string, string>("client_id", clientId),
            new KeyValuePair<string, string>("client_secret", clientSecret),
            new KeyValuePair<string, string>("grant_type", "refresh_token"),
            new KeyValuePair<string, string>("refresh_token", refreshToken)
        };

        var content = GetContentAsync(url, "POST",  parameters);

        var token = JsonConvert.DeserializeObject<GoogleRefreshTokenModel>(content);

        return token;
    }

    private static string GetContentAsync(string url, 
        string method = "POST",
        IEnumerable<KeyValuePair<string, string>> parameters = null)
    {
        return method == "POST" ? PostAsync(url, parameters) : GetAsync(url, parameters);
    }

    private static string PostAsync(string url, IEnumerable<KeyValuePair<string, string>> parameters = null)
    {
        var uri = new Uri(url);

        var request = WebRequest.Create(uri) as HttpWebRequest;
        request.Method = "POST";
        request.KeepAlive = true;
        request.ContentType = "application/x-www-form-urlencoded";

        var postParameters = GetPostParameters(parameters);

        var bs = Encoding.UTF8.GetBytes(postParameters);
        using (var reqStream = request.GetRequestStream())
        {
            reqStream.Write(bs, 0, bs.Length);
        }

        using (var response = request.GetResponse())
        {
            var sr = new StreamReader(response.GetResponseStream());
            var jsonResponse = sr.ReadToEnd();
            sr.Close();

            return jsonResponse;
        }
    }

    private static string GetPostParameters(IEnumerable<KeyValuePair<string, string>> parameters = null)
    {
        var postParameters = string.Empty;
        foreach (var parameter in parameters)
        {
            postParameters += string.Format("&{0}={1}", parameter.Key,
                HttpUtility.HtmlEncode(parameter.Value));
        }
        postParameters = postParameters.Substring(1);

        return postParameters;
    }

    private static string GetAsync(string url, IEnumerable<KeyValuePair<string, string>> parameters = null)
    {
        url += "?" + GetQueryStringParameters(parameters);

        var forIdsWebRequest = WebRequest.Create(url);
        using (var response = (HttpWebResponse)forIdsWebRequest.GetResponse())
        {
            using (var data = response.GetResponseStream())
            using (var reader = new StreamReader(data))
            {
                var jsonResponse = reader.ReadToEnd();

                return jsonResponse;
            }
        }
    }

    private static string GetQueryStringParameters(IEnumerable<KeyValuePair<string, string>> parameters = null)
    {
        var queryStringParameters = string.Empty;
        foreach (var parameter in parameters)
        {
            queryStringParameters += string.Format("&{0}={1}", parameter.Key,
                HttpUtility.HtmlEncode(parameter.Value));
        }
        queryStringParameters = queryStringParameters.Substring(1);

        return queryStringParameters;
    }
}

重要提示1: 要获取刷新令牌,您必须在 "ExecuteResult" 方法中设置 "access_type" 为 "offline",如下所示:

properties.Dictionary["access_type"] = "offline";

重要提示2:获得刷新令牌后,必须将其存储在某个安全来源中。除非在调用该行(在相同的方法中)之前将“approval_prompt”设置为“force”,否则Google API不会向您发放新的刷新令牌:

context.HttpContext.GetOwinContext().Authentication.Challenge(properties, LoginProvider);

我也建议您参考以下内容:

Google API 离线访问

Google OAUTH 2.0 沙盒

Google API 探索检查

3
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接