在ASP.NET 5中获取访问令牌
我的ASP.NET 5(MVC 6 + beta7)Web应用程序(MVC + WebAPI)需要从WebAPI登录调用中获取access_token。
到目前为止,从谷歌搜索,我已经为startup.cs创建了以下代码:
app.UseOAuthBearerAuthentication(options => { options.AutomaticAuthentication = true; options.Audience = "http://localhost:62100/"; options.Authority = "http://localhost:62100/"; }); 我的客户方是:
var login = function () { var url = "http://localhost:62100/"; var data = $("#userData").serialize(); data = data + "&grant_type=password"; $.post(url, data) .success(saveAccessToken) .always(showResponse); return false; };
是否需要使用UseOpenIdConnectServer ? 如果是这样,我如何使用SigningCredentials以便获得令牌(例如MVC5 ApplicationOAuthProvider)?
请注意,我的网站是简单的演示HTTP站点,我不需要任何SSL。
是否需要使用UseOpenIdConnectServer?
使用AspNet.Security.OpenIdConnect.Server不是“必需的”。 您当然可以自由选择其他服务器(如IdentityServer)或自定义解决方案。 作为aspnet-contrib背后的主要开发者,我不是很客观,所以我一定建议使用app.UseOpenIdConnectServer() 。
如果是这样,我如何使用SigningCredentials以便获得令牌(例如MVC5 ApplicationOAuthProvider)?
在实施密码并使用默认令牌类型时,注册签名密钥/证书不是必需的。
以下是如何开始:
ASP.NET Core 1.x:
Startup.cs
public class Startup { public void ConfigureServices(IServiceCollection services) { services.AddAuthentication(); } public void Configure(IApplicationBuilder app) { // Add a new middleware validating the encrypted // access tokens issued by the OIDC server. app.UseOAuthValidation(); // Add a new middleware issuing tokens. app.UseOpenIdConnectServer(options => { options.TokenEndpointPath = "/connect/token"; // Override OnValidateTokenRequest to skip client authentication. options.Provider.OnValidateTokenRequest = context => { // Reject the token requests that don't use // grant_type=password or grant_type=refresh_token. if (!context.Request.IsPasswordGrantType() && !context.Request.IsRefreshTokenGrantType()) { context.Reject( error: OpenIdConnectConstants.Errors.UnsupportedGrantType, description: "Only grant_type=password and refresh_token " + "requests are accepted by this server."); return Task.FromResult(0); } // Since there's only one application and since it's a public client // (ie a client that cannot keep its credentials private), // call Skip() to inform the server the request should be // accepted without enforcing client authentication. context.Skip(); return Task.FromResult(0); }; // Override OnHandleTokenRequest to support // grant_type=password token requests. options.Provider.OnHandleTokenRequest = context => { // Only handle grant_type=password token requests and let the // OpenID Connect server middleware handle the other grant types. if (context.Request.IsPasswordGrantType()) { // Do your credentials validation here. // Note: you can call Reject() with a message // to indicate that authentication failed. var identity = new ClaimsIdentity(context.Options.AuthenticationScheme); identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "[unique id]"); // By default, claims are not serialized // in the access and identity tokens. // Use the overload taking a "destinations" // parameter to make sure your claims // are correctly inserted in the appropriate tokens. identity.AddClaim("urn:customclaim", "value", OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken); var ticket = new AuthenticationTicket( new ClaimsPrincipal(identity), new AuthenticationProperties(), context.Options.AuthenticationScheme); // Call SetScopes with the list of scopes you want to grant // (specify offline_access to issue a refresh token). ticket.SetScopes("profile", "offline_access"); context.Validate(ticket); } return Task.FromResult(0); }; }); } }
的.csproj
ASP.NET Core 2.x:
Startup.cs
public class Startup { public void ConfigureServices(IServiceCollection services) { services.AddAuthentication() // Add a new middleware validating the encrypted // access tokens issued by the OIDC server. .AddOAuthValidation() // Add a new middleware issuing tokens. .AddOpenIdConnectServer(options => { options.TokenEndpointPath = "/connect/token"; // Override OnValidateTokenRequest to skip client authentication. options.Provider.OnValidateTokenRequest = context => { // Reject the token requests that don't use // grant_type=password or grant_type=refresh_token. if (!context.Request.IsPasswordGrantType() && !context.Request.IsRefreshTokenGrantType()) { context.Reject( error: OpenIdConnectConstants.Errors.UnsupportedGrantType, description: "Only grant_type=password and refresh_token " + "requests are accepted by this server."); return Task.CompletedTask; } // Since there's only one application and since it's a public client // (ie a client that cannot keep its credentials private), // call Skip() to inform the server the request should be // accepted without enforcing client authentication. context.Skip(); return Task.CompletedTask; }; // Override OnHandleTokenRequest to support // grant_type=password token requests. options.Provider.OnHandleTokenRequest = context => { // Only handle grant_type=password token requests and let the // OpenID Connect server middleware handle the other grant types. if (context.Request.IsPasswordGrantType()) { // Do your credentials validation here. // Note: you can call Reject() with a message // to indicate that authentication failed. var identity = new ClaimsIdentity(context.Scheme.Name); identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "[unique id]"); // By default, claims are not serialized // in the access and identity tokens. // Use the overload taking a "destinations" // parameter to make sure your claims // are correctly inserted in the appropriate tokens. identity.AddClaim("urn:customclaim", "value", OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken); var ticket = new AuthenticationTicket( new ClaimsPrincipal(identity), new AuthenticationProperties(), context.Scheme.Name); // Call SetScopes with the list of scopes you want to grant // (specify offline_access to issue a refresh token). ticket.SetScopes("profile", "offline_access"); context.Validate(ticket); } return Task.CompletedTask; }; }); } }
的.csproj
您还可以阅读此博客文章,其中解释了如何实施资源所有者密码授权: http : //kevinchalet.com/2016/07/13/creating-your-own-openid-connect-server-with-asos-implementing -the-资源所有者密码的凭据发放/