OAuthAuthorizationProvide vs Aspnet.security.openinconnect

问题

I have tried implementing ASOS with .net core 2.1 and there were few things which were available in OAuthAuthorizationProvider but I couldn't find them in ASOS. Also I think the context is little different in ASOS, So is there any alternate of the following code in ASOS:

 OAuthBearerOptions = new OAuthBearerAuthenticationOptions();
            var options = new OAuthAuthorizationServerOptions
            {
                AuthorizeEndpointPath = new PathString(AuthorizePath),
                TokenEndpointPath = new PathString(TokenPath),
                ApplicationCanDisplayErrors = true,
                AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(5),
#if DEBUG
                AllowInsecureHttp = true,
#endif
                // Authorization server provider which controls the lifecycle of Authorization Server
                Provider = new OAuthAuthorizationServerProvider
                {
                    OnValidateClientRedirectUri = ValidateClientRedirectUri,
                    OnValidateClientAuthentication = ValidateClientAuthentication,
                    OnGrantResourceOwnerCredentials = GrantResourceOwnerCredentials,
                    OnGrantClientCredentials = GrantClientCredetails
                },

                // Authorization code provider which creates and receives authorization code
                AuthorizationCodeProvider = new AuthenticationTokenProvider
                {
                    OnCreate = CreateAuthenticationCode,
                    OnReceive = ReceiveAuthenticationCode,
                },

                // Refresh token provider which creates and receives referesh token
                RefreshTokenProvider = new AuthenticationTokenProvider
                {
                    OnCreate = CreateRefreshToken,
                    OnReceive = ReceiveRefreshToken,
                }
               ,

            };
            app.UseOAuthAuthorizationServer(options);
            app.UseOAuthBearerAuthentication(OAuthBearerOptions);

Update:

private Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
    var identity = new ClaimsIdentity(new GenericIdentity(context.UserName, OAuthDefaults.AuthenticationType), context.Scope.Select(x => new Claim("claim", x)));

    context.Validated(identity);

    return Task.FromResult(0);
}

private Task GrantClientCredetails(OAuthGrantClientCredentialsContext context)
{
    var identity = new ClaimsIdentity(new GenericIdentity(context.ClientId, OAuthDefaults.AuthenticationType), context.Scope.Select(x => new Claim("claim", x)));

    context.Validated(identity);

    return Task.FromResult(0);
}

回答1:

Most of the options are still there but the events model has been reworked:

• OnValidateClientRedirectUri was replaced by a more general OnValidateAuthorizationRequest event.

• OnValidateClientAuthentication no longer exists. Client authentication validation is now performed in the OnValidateTokenRequest event (or OnValidateIntrospectionRequest/OnValidateRevocationRequest, but you're not using the introspection/revocation endpoints in your snippet).

• The *Provider properties - used for decrypting/encrypting tokens - have been replaced by Serialize* and Deserialize* events. Using them is no longer mandatory: in this case, authorization codes and refresh tokens will be considered valid until they expire.

If you want to learn more about the revamped events model, don't miss this blog post series: https://kevinchalet.com/2016/07/13/creating-your-own-openid-connect-server-with-asos-introduction/

来源：https://stackoverflow.com/questions/51415026/oauthauthorizationprovide-vs-aspnet-security-openinconnect