之前已经简单实现了OAUTH2的授权码模式(Authorization Code),但是基于JAVA的,今天花了点时间调试了OWIN的实现,基本就把基于OWIN的OAUHT2的四种模式实现完了。官方推荐的.NET 包有

Katana已经不更新了,新的版本是已经是asp.net core 1.0的一部分,实现OAUTH2好的选择可以考虑使用新版或IdentityServer3对应asp.net core 1.0版本为IdentityServer4。

Startup 

public partial class Startup

    {

        private readonly ConcurrentDictionary<string, string> _authenticationCodes = new ConcurrentDictionary<string, string>(StringComparer.Ordinal);

        public void ConfigureAuth(IAppBuilder app)

        {

            app.UseCookieAuthentication(new CookieAuthenticationOptions

            {

                AuthenticationType = Paths.AuthenticationType,

                AuthenticationMode = AuthenticationMode.Passive,

                LoginPath = new PathString(Paths.LoginPath),

                LogoutPath = new PathString(Paths.LogoutPath),

            });

            app.UseOAuthBearerTokens(new OAuthAuthorizationServerOptions

            {

                AuthorizeEndpointPath = new PathString(Paths.AuthorizePath),

                TokenEndpointPath = new PathString(Paths.TokenPath),

                AccessTokenExpireTimeSpan = TimeSpan.FromHours(2),

                Provider = new OAuthAuthorizationServerProvider

                {

                    OnValidateClientRedirectUri = ValidateClientRedirectUri,

                    OnValidateClientAuthentication = ValidateClientAuthentication,

                    OnGrantResourceOwnerCredentials = GrantResourceOwnerCredentials,

                    OnGrantClientCredentials = GrantClientCredetails

                },

                //Provider = new ApplicationOAuthProvider(),

                AuthorizationCodeProvider = new AuthenticationTokenProvider

                {

                    OnCreate = CreateAuthenticationCode,

                    OnReceive = ReceiveAuthenticationCode,

                },

                RefreshTokenProvider = new AuthenticationTokenProvider

                {

                    OnCreate = CreateRefreshToken,

                    OnReceive = ReceiveRefreshToken,

                },

                ApplicationCanDisplayErrors = true,

#if DEBUG

                //HTTPS is allowed only AllowInsecureHttp = false

                AllowInsecureHttp = true,

#endif

            });

        }

        private void CreateAuthenticationCode(AuthenticationTokenCreateContext context)

        {

            context.SetToken(Guid.NewGuid().ToString("n") + Guid.NewGuid().ToString("n"));

            _authenticationCodes[context.Token] = context.SerializeTicket();

        }

        private void ReceiveAuthenticationCode(AuthenticationTokenReceiveContext context)

        {

            string value;

            if (_authenticationCodes.TryRemove(context.Token, out value))

            {

                context.DeserializeTicket(value);

            }

        }

        private Task GrantClientCredetails(OAuthGrantClientCredentialsContext context)

        {

            var identity = new ClaimsIdentity(new GenericIdentity(context.ClientId, OAuthDefaults.AuthenticationType), context.Scope.Select(x => new Claim("urn:oauth:scope", x)));

            context.Validated(identity);

            return Task.FromResult(0);

        }

        private Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)

        {

            var identity = new ClaimsIdentity(new GenericIdentity(context.UserName, OAuthDefaults.AuthenticationType), context.Scope.Select(x => new Claim("urn:oauth:scope", x)));

            context.Validated(identity);

            return Task.FromResult(0);

        }

        private Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)

        {

            string clientId;

            string clientSecret;

            if (context.TryGetBasicCredentials(out clientId, out clientSecret) || context.TryGetFormCredentials(out clientId, out clientSecret))

            {

                context.Validated();

            }

            return Task.FromResult(0);

        }

        private Task ValidateClientRedirectUri(OAuthValidateClientRedirectUriContext context)

        {

            if (context.ClientId == Clients.Client1.Id)

            {

                context.Validated();

                //context.Validated(Clients.Client1.RedirectUrl);

            }

            else if (context.ClientId == Clients.Client2.Id)

            {

                context.Validated(Clients.Client2.RedirectUrl);

            }

            return Task.FromResult(0);

        }

        private void CreateRefreshToken(AuthenticationTokenCreateContext context)

        {

            context.SetToken(context.SerializeTicket());

        }

        private void ReceiveRefreshToken(AuthenticationTokenReceiveContext context)

        {

            context.DeserializeTicket(context.Token);

        }

    }

OAuthController

/// <summary>

        /// 授权码模式授权

        /// </summary>

        /// <returns></returns>

        public ActionResult Authorize()

        {

            var authentication = HttpContext.GetOwinContext().Authentication;

            var ticket = authentication.AuthenticateAsync(Paths.AuthenticationType).Result;

            var identity = ticket != null ? ticket.Identity : null;

            if (identity == null)

            {

                authentication.Challenge(Paths.AuthenticationType);

                return new HttpUnauthorizedResult();

            }

            var scopes = (Request.QueryString.Get("scope") ?? "").Split(' ');

            if (Request.HttpMethod == "POST")

            {

                if (!string.IsNullOrEmpty(Request.Form.Get("submit.Grant")))

                {

                    identity = new ClaimsIdentity(identity.Claims, "Bearer", identity.NameClaimType, identity.RoleClaimType);

                    foreach (var scope in scopes)

                    {

                        identity.AddClaim(new Claim("urn:oauth:scope", scope));

                    }

                    authentication.SignIn(identity);

                }

                if (!string.IsNullOrEmpty(Request.Form.Get("submit.Login")))

                {

                    authentication.SignOut("Application");

                    authentication.Challenge("Application");

                    return new HttpUnauthorizedResult();

                }

            }

            return View();

        }

AccountController

/// <summary>

        /// 用户登录

        /// </summary>

        /// <returns></returns>

        public ActionResult Login()

        {

            var authentication = HttpContext.GetOwinContext().Authentication;

            if (Request.HttpMethod == "POST")

            {

                var isPersistent = !string.IsNullOrEmpty(Request.Form.Get("isPersistent"));

                if (!string.IsNullOrEmpty(Request.Form.Get("submit.Signin")))

                {

                    authentication.SignIn(

                        new AuthenticationProperties { IsPersistent = isPersistent },

                        new ClaimsIdentity(new[] { new Claim(ClaimsIdentity.DefaultNameClaimType, Request.Form["username"]) }, "Application"));

                }

            }

            return View();

        }

        /// <summary>

        /// 退出

        /// </summary>

        /// <returns></returns>

        public ActionResult Logout()

        {

            return View();

        }

调试

获得授权码

GET /oauth/authorize?client_id=irving&redirect_uri=http://localhost:38500/oauth_callback&state=LYUVwcuaGuKeRTjxhdFzhQ&scope=bio

%20notes&response_type=code HTTP/1.1

http://localhost:56889/oauth/authorize?

client_id=irving&redirect_uri=http://localhost:38500/oauth_callback&state=LYUVwcuaGuKeRTjxhdFzhQ&scope=bio%20notes&response_type=code

页面重定向

HTTP/1.1 302 Found

Location: /oauth_callback?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz

http://localhost:56889/oauth_callback?code=0aa3e35bd515413bb93bdb6fb015591cc763a8d30c554730a07ebd39e3149252&state=LYUVwcuaGuKeRTjxhdFzhQ

获得令牌

POST /token HTTP/1.1

Host: server.example.com

Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=929dc42905a24e79bdf028f7043769acddd90056ca8141708b3834ec174e8083&state=LYUVwcuaGuKeRTjxhdFzhQ&redirect_uri=http://localhost:38500/oauth_callback

源码:https://github.com/zhouyongtao/SecuringForWebAPI/tree/master/KatanaForWebAPI

注意事项

资源服务器识别认证服务器颁发的令牌, 需要配置相同的machinekey

<machineKey decryptionKey="B7EFF1C5839A624E3F97D0268917EDE82F408D2ECBFAC817" validation="SHA1" validationKey="C2B8DF31AB9624D69428066DFDA1A479542825F3B48865C4E47AF6A026F22D853DEC2B3248DF268599BF89EF78B9E86CA05AC73577E0D5A14C45E0267588850B" />

REFER:

http://beginor.github.io/2015/01/24/oauth2-server-with-owin.html

http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server

基于OWIN WebAPI 使用OAUTH2授权服务【授权码模式(Authorization Code)】的更多相关文章

  1. 【干货】基于Owin WebApi 使用OAuth2进行客户端授权服务

    前言:采用Client Credentials方式,即密钥key/password,场景一般是分为客户端限制必须有权限才能使用的模块,这和微信公众号开放平台很类似. 让用户通过客户端去获取自己的tok ...

  2. IdentityServer4 (3) 授权码模式(Authorization Code)

    写在前面 1.源码(.Net Core 2.2) git地址:https://github.com/yizhaoxian/CoreIdentityServer4Demo.git 2.相关章节 2.1. ...

  3. Apache Oltu 实现 OAuth2.0 服务端【授权码模式(Authorization Code)】

    要实现OAuth服务端,就得先理解客户端的调用流程,服务提供商实现可能也有些区别,实现OAuth服务端的方式很多,具体可能看 http://oauth.net/code/ 各语言的实现有(我使用了Ap ...

  4. Owin中间件搭建OAuth2.0认证授权服务体会

    继两篇转载的Owin搭建OAuth 2.0的文章,使用Owin中间件搭建OAuth2.0认证授权服务器和理解OAuth 2.0之后,我想把最近整理的资料做一下总结. 前两篇主要是介绍概念和一个基本的D ...

  5. 使用Owin中间件搭建OAuth2.0认证授权服务器

    前言 这里主要总结下本人最近半个月关于搭建OAuth2.0服务器工作的经验.至于为何需要OAuth2.0.为何是Owin.什么是Owin等问题,不再赘述.我假定读者是使用Asp.Net,并需要搭建OA ...

  6. 基于 IdentityServer3 实现 OAuth 2.0 授权服务【密码模式(Resource Owner Password Credentials)】

    密码模式(Resource Owner Password Credentials Grant)中,用户向客户端提供自己的用户名和密码.客户端使用这些信息,向"服务商提供商"索要授权 ...

  7. 【PHP】基于ThinkPHP框架搭建OAuth2.0服务

    [PHP]基于ThinkPHP框架搭建OAuth2.0服务 http://leyteris.iteye.com/blog/1483403

  8. OAuth2.0学习(1-6)授权方式3-密码模式(Resource Owner Password Credentials Grant)

    授权方式3-密码模式(Resource Owner Password Credentials Grant) 密码模式(Resource Owner Password Credentials Grant ...

  9. OAuth 第三方登录授权码(authorization code)方式的小例子

    假如上面的网站A,可以通过GitHub账号登录: 下面以OAuth其中一种方式,授权码(authorization code)方式为例. 一.第三方登录的原理 所谓第三方登录,实质就是 OAuth 授 ...

随机推荐

  1. Egret Wing3 FTP使用方法

    FTP 挺实用的,不用自己去申请sinasea什么的免费空间来测试项目了. 添加FTP服务器配置 默认就行. 指定目录上传至FTP服务器 选择免费云测试空间.然后选择bin-release/web目录 ...

  2. oracle中SQL根据生日日期查询年龄的方法

    方法:SELECT Trunc(MONTHS_BETWEEN(SYSDATE,BIRTH_DATE)/12) FROM 某表 Trunc函数在这里对带有小数位数的数字取整数部分: SYSDATE为or ...

  3. 8.9 CSS知识点2

    4.关系选择符 包含选择符(Descendant combinator) E F  选择所有被E元素包含的F元素 <style type="text/css"> h1 ...

  4. Asp.net Page指令

    Page指令为编译器编译页面时使用的指令 指令的格式为 <%@ [Directive] [Attribute=value]%> <%@ Page Language="C#& ...

  5. 说一说inline-block的奇葩之处

    今天本来想聊一下margin和padding,但是当我给div加了一个display:inline-block之后,发现一个问题: .box_demo{border: 1px solid #333;w ...

  6. 动端逐渐出了许多的移动端的框架,比如Sencha Touch、JQTouch、Jquery-moblie、jqMobi等等。这些框架都有优缺点,不同的框架应用在不同的项目中。现简单阐述一下各框架的优缺点:

    移动前端工作的那些事---前端制作之微信小技巧篇   (2013-11-15 15:20) 转载▼ 标签: it css3/javascript html5 webapp 手机网站搭建 分类: 前端制 ...

  7. C++ MFC获取软件运行目录 (包含软件名)

    TCHAR *path = new TCHAR[MAX_PATH];   GetModuleFileName(NULL,path,MAX_PATH); AfxMessageBox(path);

  8. ORACLE恢复数据

    ORACLE恢复删除表或表记录 一:表的恢复      对误删的表,只要没有使用PURGE永久删除选项,那么从flash back区恢复回来希望是挺大的.一般步骤有: 1.从flash back里查询 ...

  9. DevOps的修炼之路!

    作为一名产品经理,首先要知道产品对于所属公司来说意味着什么,要探寻这个问题,我们又得知道和公司息息相关的是什么,在我的理解来看,与公司状况相关的因素有以下这些: 市场份额 平均订单金额 盈利能力 资产 ...

  10. Wpf 中使用gif格式的动态图

    第一种方法:使用winform插件 <WindowsFormsHost  xmlns:wf="clr-namespace:System.Windows.Forms;assembly=S ...