1. 技术文章
  2. Web API 2 and ASP Identity - Handling of locked out users

Web API 2 and ASP Identity - Handling of locked out users

我是研究僧i 提交于 2019-12-10 13:47:47

问题


I just migrated my web app (ASP.NET MVC) to ASP Identity.

Everything works fine after quite some work, except the API which the web app provides. This is a WEB API 2, and it is using the bearer token mechanism to authenticate users. The authentication itself also works fine. but: When a user is locked out, the token for the user is still issued via the API-token-endpoint.

Is there a suggested way to handle this? I did not find any example...

Thanks!


回答1:


Ok, that was a stupid one... I see clearer now :)

I had it all the time in front of my eyes: The Web-Api2-Template includes a class "ApplicationOAuthProvider". This one allows several places to intercept the pipe... I chose the method "GrantResourceOwnerCredentials" which was already overriden, and there I checked if the user is locked out, directly after the password check.

Sorry, hope it helps someone.




回答2:


go to ApplicationOAuthProvider class and check ApplicationUser.LockoutEndDateUtc in GrantResourceOwnerCredentials method : 

public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
        {
            var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();

            ApplicationUser user = await userManager.FindAsync(context.UserName, context.Password);

            if (user == null)
            {
                context.SetError("invalid_grant", "The user name or password is incorrect.");
                return;
            }

            if (user.LockoutEndDateUtc != null && user.LockoutEndDateUtc > DateTime.Now)
            {
                context.SetError("User Locked", "User is Locked,please contact to system administrator");
                return;
            }
            ClaimsIdentity oAuthIdentity = await user.GenerateUserIdentityAsync(userManager);
            ClaimsIdentity cookiesIdentity = await user.GenerateUserIdentityAsync(userManager);

            AuthenticationProperties properties = CreateProperties(user.UserName);
            AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties);
            context.Validated(ticket);
            context.Request.Context.Authentication.SignIn(cookiesIdentity);
        }


来源:https://stackoverflow.com/questions/24212716/web-api-2-and-asp-identity-handling-of-locked-out-users

标签
asp.net-identity
asp.net-web-api2
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!