OAuth中client id的处理

Posted 2021-02-08 chucklu

http://www.tugberkugurlu.com/archive/simple-oauth-server-implementing-a-simple-oauth-server-with-katana-oauth-authorization-server-components-part-1

https://docs.microsoft.com/en-us/previous-versions/aspnet/mt180817(v%3Dvs.113)

Called to validate that the origin of the request is a registered "client_id", and that the correct credentials for that client are present on the request. If the web application accepts Basic authentication credentials, context.TryGetBasicCredentials(out clientId, out clientSecret) may be called to acquire those values if present in the request header. If the web application accepts "client_id" and "client_secret" as form encoded POST parameters, context.TryGetFormCredentials(out clientId, out clientSecret) may be called to acquire those values if present in the request body. If context.Validated is not called the request will not proceed further.

public override async Task ValidateClientAuthentication(
        OAuthValidateClientAuthenticationContext context)
    {
        string clientId;
        string clientSecret;

        if (context.TryGetBasicCredentials(out clientId, out clientSecret))
        {
            UserManager<IdentityUser> userManager = 
                context.OwinContext.GetUserManager<UserManager<IdentityUser>>();
            OAuthDbContext dbContext = 
                context.OwinContext.Get<OAuthDbContext>();

            try
            {
                Client client = await dbContext
                    .Clients
                    .FirstOrDefaultAsync(clientEntity => clientEntity.Id == clientId);

                if (client != null &&
                    userManager.PasswordHasher.VerifyHashedPassword(
                        client.ClientSecretHash, clientSecret) == PasswordVerificationResult.Success)
                {
                    // Client has been verified.
                    context.OwinContext.Set<Client>("oauth:client", client);
                    context.Validated(clientId);
                }
                else
                {
                    // Client could not be validated.
                    context.SetError("invalid_client", "Client credentials are invalid.");
                    context.Rejected();
                }
            }
            catch
            {
                // Could not get the client through the IClientManager implementation.
                context.SetError("server_error");
                context.Rejected();
            }
        }
        else
        {
            // The client credentials could not be retrieved.
            context.SetError(
                "invalid_client", 
                "Client credentials could not be retrieved through the Authorization header.");

            context.Rejected();
        }
    }

 

 

https://stackoverflow.com/questions/37119386/client-id-is-always-null-in-validateclientauthentication

if your client_id is passed as a form param, you‘ll have to get it by doing context.TryGetFormCredentials(out clientId, out clientSecret);

if your client_id is passed as an Authorization header, you can get it by doing context.TryGetBasicCredentials(out clientId, out clientSecret);

once you‘ve got the client_id from your request, do context.Validated(clientId), this will set your context.ClientId property, this property will always be null until you‘ve done context.Validated()