问题
I am trying to write my own oauth authentication server with oauthAuthorizationServerProvider. The client requests the Authserver for token. If client credentials are valid auth server with give a access token. now the client send the token with every request to the resource sever. i am unable to understand how the resource server will validate the token which was generated by the auth server. can anybody give any example code using oauthAuthorizationServerProvider.
Below is the implementation that i have tried:
public class AuthorizationServerProvider : OAuthAuthorizationServerProvider
{
public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
return Task.FromResult<object>(context.Validated());
}
public override Task TokenEndpoint(OAuthTokenEndpointContext context)
{
foreach (KeyValuePair<string, string> property in context.Properties.Dictionary)
{
context.AdditionalResponseParameters.Add(property.Key, property.Value);
}
return Task.FromResult<object>(null);
}
public override Task TokenEndpointResponse(OAuthTokenEndpointResponseContext context)
{
string path = @"e:\temp\MyTest.txt";
File.WriteAllText(path, context.AccessToken);
return base.TokenEndpointResponse(context);
}
}
public void Configuration(IAppBuilder app)
{
ConfigureOAuth(app);
}
public void ConfigureOAuth(IAppBuilder app)
{
OAuthBearerOptions = new OAuthBearerAuthenticationOptions();
OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions() {
AllowInsecureHttp=true,
TokenEndpointPath= new PathString("/Token"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(20),
Provider = new AuthorizationServerProvider(),
};
app.UseOAuthAuthorizationServer(OAuthServerOptions);
app.UseOAuthBearerAuthentication(OAuthBearerOptions);
}
Now i am not able to test it using postman. can someone help me if my implementation is correct for client_credentials authorization.
P.S: I want to debug TokenEndpointResponse method and also classes in startup. How can i do that?
回答1:
The token contains the authentication ticket generated by the authorization server. The resource server extracts the ticket from the token and checks that it is valid.
This tasks are accomplished by the Microsoft.Owin.Security.OAuth dll.
Both authorization and resource servers must share the same machine key that is used to encrypt the authentication ticket inside the token and decrypt the token to obtain the ticket. You can include it in the web.config of both web sites (servers):
<system.web>
...
<machineKey validationKey="BDE1234FBD71982481D87D815FA0A65B9F5982D123FA96E5672B78ABCD52D58818B479B19FF6D95263E85B0209297E68ABBA7D1E0BD3EABCD5E35742DEA5F2A7"
decryptionKey="8E8496D7342EA25ABCDEF6177E04EA00008E359C95E60CD0789456123B9ED2B3"
validation="SHA1" decryption="AES" />
...
</system.web>
TokenEndpointResponse is the last method executed in the OAuthAuthorizationServerProvider and only if all the validations in the other methods are correct, then you cannot debug until the provider works properly.
I based my oauth server implementation in the following post by Taiseer Joudeh, I think you can see the light reading his explanations and viewing the code.
I hope this helps you.
来源:https://stackoverflow.com/questions/37025017/validate-oauth-bearer-token-in-resource-server