owin认证的当前用户
我开始为移动应用程序构建一个web api,并且我很难实现身份validation。 我使用Bearer,虽然一切都应该没问题,但我无法让当前用户从控制器中获取动作。 HttpContext.Current.User.Identity.Name为null(同样是HttpContext.Current.User.Identity.GetUserId())的结果。 以下是重要代码:
Startup.cs:
public partial class Startup { public void Configuration(IAppBuilder app) { var config = new HttpConfiguration(); ConfigureAuth(app); WebApiConfig.Register(config); app.UseWebApi(config); } } Startup.Auth.cs
public partial class Startup { static Startup() { OAuthOptions = new OAuthAuthorizationServerOptions { TokenEndpointPath = new PathString("/token"), Provider = new ApplicationOAuthProvider(), AccessTokenExpireTimeSpan = TimeSpan.FromDays(1), AllowInsecureHttp = true }; OAuthBearerOptions = new OAuthBearerAuthenticationOptions(); } public static OAuthAuthorizationServerOptions OAuthOptions { get; private set; } public static OAuthBearerAuthenticationOptions OAuthBearerOptions { get; private set; } public static string PublicClientId { get; private set; } public void ConfigureAuth(IAppBuilder app) { app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions { AccessTokenProvider = new AuthenticationTokenProvider() }); app.UseOAuthBearerTokens(OAuthOptions); app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll); } }
ApplicationOAuthProvider.cs:
public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context) { string clientId, clientSecret; if (!context.TryGetBasicCredentials(out clientId, out clientSecret)) { return SetErrorAndReturn(context, "client error", ""); } if (clientId == "secret" && clientSecret == "secret") { context.Validated(); return Task.FromResult(null); } return SetErrorAndReturn(context, "client error", ""); } public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" }); using (AuthRepository _repo = new AuthRepository()) { IdentityUser user = await _repo.FindUser(context.UserName, context.Password); if (user == null) { context.SetError("invalid_grant", "The user name or password is incorrect."); return; } } var identity = new ClaimsIdentity(context.Options.AuthenticationType); identity.AddClaim(new Claim("sub", context.UserName)); identity.AddClaim(new Claim("role", "user")); context.Validated(identity); } public override Task TokenEndpoint(OAuthTokenEndpointContext context) { foreach (KeyValuePair property in context.Properties.Dictionary) { context.AdditionalResponseParameters.Add(property.Key, property.Value); } return Task.FromResult(null); }
AuthRepository.cs:
public class AuthRepository : IDisposable { private readonly AuthContext _ctx; private readonly UserManager _userManager; public AuthRepository() { _ctx = new AuthContext(); _userManager = new UserManager(new UserStore(_ctx)); } public async Task RegisterUser(UserModel userModel) { var user = new IdentityUser { UserName = userModel.UserName }; var result = await _userManager.CreateAsync(user, userModel.Password); return result; } public async Task FindUser(string userName, string password) { IdentityUser user = await _userManager.FindAsync(userName, password); return user; } public void Dispose() { _ctx.Dispose(); _userManager.Dispose(); } }
AuthContext.cs:
public class AuthContext : IdentityDbContext { public AuthContext() : base("AuthContext") { } }
和finnaly ValuesController.cs:
[Authorize] public class ValuesController : ApiController { public IEnumerable Get() { return new String[] {HttpContext.Current.User.Identity.Name, HttpContext.Current.User.Identity.GetUserId(),ClaimsPrincipal.Current.Identity.Name}; } }
当我采取这个行动时,我得到3次无效。 尽管如此,整个身份validation过程似乎都很好 – 只有当我发送一个好的令牌时,我才有权访问。 有人知道这里有什么问题吗?
在方法GrantResourceOwnerCredentials上,在validation用户名密码后添加声明后,您需要添加此声明:
identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
通过这样做,当您在受保护的控制器内调用User.Identity.Name时,将填充UserId。 希望这能解决您的问题。