---恢复内容开始---
我们简单的描述怎么通过owin和asp.net mvc创建一个授权服务器,首先创建一个空的MVC网站名为AuthorizationServer并且安装如下包:
- Microsoft.AspNet.Mvc
- Microsoft.Owin.Host.SystemWeb
- Microsoft.Owin.Security.OAuth
- Microsoft.Owin.Security.Cookies
在项目的根目录创建一个名为Startup的类:
using Microsoft.Owin;
using Owin;
[assembly: OwinStartup(typeof(AuthorizationServer.Startup))]
namespace AuthorizationServer
{
public partial class Startup
{
public void Configuration(IAppBuilder app)
{
ConfigureAuth(app);
}
}
}
创建一个App_Start文件夹,选中App_Start添加类文件Startup.Auth.cs
public void ConfigureAuth(IAppBuilder app)
{
// 启用登录应用使用Cookie
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Application",
AuthenticationMode = AuthenticationMode.Passive,
LoginPath = new PathString(Paths.LoginPath),
LogoutPath = new PathString(Paths.LogoutPath),
});
// 启用外部登录使用Cookie
app.SetDefaultSignInAsAuthenticationType("External");
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "External",
AuthenticationMode = AuthenticationMode.Passive,
CookieName = CookieAuthenticationDefaults.CookiePrefix + "External",
ExpireTimeSpan = TimeSpan.FromMinutes(5),
});
// 启用google身份验证
app.UseGoogleAuthentication();
// 配置授权服务
app.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions
{
AuthorizeEndpointPath = new PathString(Paths.AuthorizePath),
TokenEndpointPath = new PathString(Paths.TokenPath),
ApplicationCanDisplayErrors = true,
#if DEBUG
AllowInsecureHttp = true,
#endif
// 授权服务提供者控制授权服务的生命周期
Provider = new OAuthAuthorizationServerProvider
{
OnValidateClientRedirectUri = ValidateClientRedirectUri,
OnValidateClientAuthentication = ValidateClientAuthentication,
OnGrantResourceOwnerCredentials = GrantResourceOwnerCredentials,
OnGrantClientCredentials = GrantClientCredetails
},
// 授权码提供者用来创建和接受授权码
AuthorizationCodeProvider = new AuthenticationTokenProvider
{
OnCreate = CreateAuthenticationCode,
OnReceive = ReceiveAuthenticationCode,
},
// 刷新令牌提供这用来创建和接受令牌
RefreshTokenProvider = new AuthenticationTokenProvider
{
OnCreate = CreateRefreshToken,
OnReceive = ReceiveRefreshToken,
}
});
}
上面的代码启用了应用/外部登陆使用Cookie并且可以使用谷歌身份验证,由授权服务器本身管理账户。
UseCookieAuthentication扩展方法是用来配置授权服务的,配置选项是:
AuthorizeEndpointPath:客户端应用程序登录授权的请求地址,它必须以前导斜杠开始,例如:“/Authorize”
TokenEndpointPath:客户端应用程序直接获得访问令牌的请求地址,它也同样是以前导斜杠开始,例如:“/Token”
ApplicationCanDisplayErrors:如果Web应用程序想要在/Authorize地址为客户端验证生成一个自定义的错误页那么设置为true,浏览器不重定向到客户端应用。例如当client_id或者redirect_uri是错误的,/Authorize可能希望看到“oauth.Error”、“oauth.ErrorDescription”和“oauth.ErrorUri”属性被添加到Owin环境中。
AllowInsecureHttp:如果设置为true,代表授权和令牌地址允许不安全的Http协议。
Provider:配置授权服务中间件处理认证和授权的事件。
AuthorizationCodeProvider:产生一个一次性使用的验证码给客户端应用程序,OnCreate创建授权码,OnReceive收到授权码。
RefreshTokenProvider:产生一个刷新Token在需要的时候用来获得新的访问Token。
Oauth不关心在哪儿或怎么去管理你的账号信息,它是有Asp.Net Indentity来负责的,在本教程我们将简化账户管理的代码只确保用户可以使用Owin cookie中间件登录,如下在AccountControl中的简单代码:
public class AccountController : Controller
{
public ActionResult Login()
{
var authentication = HttpContext.GetOwinContext().Authentication;
if (Request.HttpMethod == "POST")
{
var isPersistent = !string.IsNullOrEmpty(Request.Form.Get("isPersistent"));
if (!string.IsNullOrEmpty(Request.Form.Get("submit.Signin")))
{
authentication.SignIn(
new AuthenticationProperties { IsPersistent = isPersistent },
new ClaimsIdentity(new[] { new Claim(
ClaimsIdentity.DefaultNameClaimType, Request.Form["username"]) },
"Application"));
}
}
return View();
}
public ActionResult Logout()
{
return View();
}
public ActionResult External()
{
var authentication = HttpContext.GetOwinContext().Authentication;
if (Request.HttpMethod == "POST")
{
foreach (var key in Request.Form.AllKeys)
{
if (key.StartsWith("submit.External.") && !string.IsNullOrEmpty(Request.Form.Get(key)))
{
var authType = key.Substring("submit.External.".Length);
authentication.Challenge(authType);
return new HttpUnauthorizedResult();
}
}
}
var identity = authentication.AuthenticateAsync("External").Result.Identity;
if (identity != null)
{
authentication.SignOut("External");
authentication.SignIn(
new AuthenticationProperties { IsPersistent = true },
new ClaimsIdentity(identity.Claims, "Application", identity.NameClaimType, identity.RoleClaimType));
return Redirect(Request.QueryString["ReturnUrl"]);
}
return View();
}
}
private Task ValidateClientRedirectUri(OAuthValidateClientRedirectUriContext context)
{
if (context.ClientId == Clients.Client1.Id)
{
context.Validated(Clients.Client1.RedirectUrl);
}
else if (context.ClientId == Clients.Client2.Id)
{
context.Validated(Clients.Client2.RedirectUrl);
}
return Task.FromResult(0);
}
private Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
string clientId;
string clientSecret;
if (context.TryGetBasicCredentials(out clientId, out clientSecret) ||
context.TryGetFormCredentials(out clientId, out clientSecret))
{
if (clientId == Clients.Client1.Id && clientSecret == Clients.Client1.Secret)
{
context.Validated();
}
else if (clientId == Clients.Client2.Id && clientSecret == Clients.Client2.Secret)
{
context.Validated();
}
}
return Task.FromResult(0);
}
private Task ValidateClientRedirectUri(OAuthValidateClientRedirectUriContext context)
{
if (context.ClientId == Clients.Client1.Id)
{
context.Validated(Clients.Client1.RedirectUrl);
}
else if (context.ClientId == Clients.Client2.Id)
{
context.Validated(Clients.Client2.RedirectUrl);
}
return Task.FromResult(0);
}
private Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
string clientId;
string clientSecret;
if (context.TryGetBasicCredentials(out clientId, out clientSecret) ||
context.TryGetFormCredentials(out clientId, out clientSecret))
{
if (clientId == Clients.Client1.Id && clientSecret == Clients.Client1.Secret)
{
context.Validated();
}
else if (clientId == Clients.Client2.Id && clientSecret == Clients.Client2.Secret)
{
context.Validated();
}
}
return Task.FromResult(0);
}
ValidateClientRedirectUri用于验证被注册的跳转Url。ValidateClientAuthentication 验证从Basic架构的请求头或Form表单提交过来的客户端凭证。