Microsoft.Owin.Security 自定义AuthenticationHandler 实现oauth2 的授权码模式

Posted ForXiXi

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Microsoft.Owin.Security 自定义AuthenticationHandler 实现oauth2 的授权码模式相关的知识,希望对你有一定的参考价值。

三个网站:

1. www.cnblogs.com        用户直接面对和使用的web应用   以后简称w

2.passport.cnblogs.com   认证服务器,可以访问用户表的用户名和密码                             以后简称p

3.users.cnblogs.com        给其它应用程序提供服务,本例当中只是提供授权用户的个人信息,例如手机 邮箱等信息                            以后简称u

 

利用 Microsoft.Owin.Security 来实现oauth2 的授权码模式

 

主要流程:

1. w判断自己网站的cookie有没有,如果没有,跳转到自己的登录页

2.w登录页 action 记录下需要跳转的url地址,切换到 第三方登录 模式,返回401

3. w的第三方登录发现自己是当前的登录模式,而且状态码还是401,接管response,不再返回401,而是重定向至p站的Authorize

4.p站的Authorize查看当前用户是否已经登录,如果登录,返回授权页(大致内容是:你是否同意 第三方网站w使用你的个人信息) 注:这个地方也可以直接返回授权码,即不再需要用户确认一次,参见下方代码

5.用户同意后,p站生成授权码,并将请求过来的state参数附加在返回的url后,跳转回w网站

6.w网站拿到code和state后,首先检查state是否和当初请求时一样,然后在服务器构造一个新的请求,到p站拿回真实的access_token和refresh_token等信息

7.w网站用access_token到u站获取到用户的信息,然后构造ClaimsIdentity,在w网站登录,登录成功以后取出第2步存入的访问url,跳转

 

 

一些关键代码

w网站启动

//
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType=DefaultAuthenticationTypes.ApplicationCookie,
LoginPath=new PathString("/Account/Login")
});

//这段代码的作用是,如果第三方登录中没有配置SignInAsAuthenticationType
//则需要开启以后,在/Account/OAuthLoginCallBack 中获取到ExternalCookie 然后再实现当前网站的登录
//在OAuthLoginCallBack中再提及这部分代码
//app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

//使用第三方登录的配置
//此处的oauth是参照修改Microsoft.Owin.Security.Google 而来
//不复杂,但有几处暗坑
//关于callbackpath ,由于oauth2.0 的规范要求 请求code和请求access_token的url中的redirect_uri 必须一致,所以增加了一个第三方登录完毕以后跳回来的地址
app.UseAxOAuth2Authentication(new AxOAuth2AuthenticationOptions()
{
TokenEndpoint="http://localhost:8099/token",
AuthorizeEndpoint="http://localhost:8099/oauth/authorize",
UserInfoEndpoint="http://localhost:8053/User/UserIdInfo",
ClientId="clientId",
ClientSecret="ClientSecret",
CallbackPath=new PathString("/Account/OAuthLoginCallBack"),
SignInAsAuthenticationType=DefaultAuthenticationTypes.ApplicationCookie
});

 

w网站  /Account/Login 完成 流程中第一步 第二步的功能

       [AllowAnonymous]
        public ActionResult Login(string returnUrl)
        {
            var properties = new AuthenticationProperties
            {
                RedirectUri=returnUrl
            };

//AxOauth是我的第三方登录模块的名称
//

HttpContext.GetOwinContext().Authentication.Challenge(properties, "AxOauth");
return new HttpUnauthorizedResult();
        }

 

实现流程第三步 AxOAuth2AuthenticationHandler中的第一个主要函数 ,参考 Microsoft.Owin.Security.Google修改

protected override Task ApplyResponseChallengeAsync()
        {
//401判断
if (Response.StatusCode != 401) { return Task.FromResult<object>(null); }
//如果在login中不 Challenge 此处就会为null
var challenge = Helper.LookupChallenge(Options.AuthenticationType, Options.AuthenticationMode); if (challenge != null) { var baseUri = Request.Scheme + Uri.SchemeDelimiter + Request.Host + Request.PathBase; var currentUri = baseUri + Request.Path + Request.QueryString; var redirectUri = baseUri + Options.CallbackPath; var properties = challenge.Properties; if (string.IsNullOrEmpty(properties.RedirectUri)) { properties.RedirectUri = currentUri; } // OAuth2 10.12 CSRF GenerateCorrelationId(properties); var queryStrings = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase) { {"response_type", "code"}, {"client_id", Options.ClientId}, {"redirect_uri", redirectUri} }; // space separated var scope = string.Join(" ", Options.Scope); if (string.IsNullOrEmpty(scope)) { // Google OAuth 2.0 asks for non-empty scope. If user didn\'t set it, set default scope to // "openid profile email" to get basic user information. scope = "openid profile email"; } AddQueryString(queryStrings, properties, "scope", scope); AddQueryString(queryStrings, properties, "access_type", Options.AccessType); AddQueryString(queryStrings, properties, "approval_prompt"); AddQueryString(queryStrings, properties, "login_hint"); var state = Options.StateDataFormat.Protect(properties); queryStrings.Add("state", state); var authorizationEndpoint = WebUtilities.AddQueryString(Options.AuthorizeEndpoint, queryStrings); var redirectContext = new AxOAuth2ApplyRedirectContext( Context, Options, properties, authorizationEndpoint); Options.Provider.ApplyRedirect(redirectContext); } return Task.FromResult<object>(null); }

 

p站启动代码Startup.Auth.cs   Paths自己定义,相关的provider可以阅读其它相关资料

 app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType=Paths.AuthenticationType,
                LoginPath=new PathString(Paths.LoginPath),
                LogoutPath=new PathString(Paths.LogoutPath),
            });

            app.UseOAuthBearerTokens(new OAuthAuthorizationServerOptions
            {
                AuthorizeEndpointPath=new PathString(Paths.AuthorizePath),
                TokenEndpointPath=new PathString(Paths.TokenPath),
                AccessTokenExpireTimeSpan=TimeSpan.FromHours(2),
                Provider=new AuthorizationServerProvider(),
                AuthorizationCodeProvider=new AuthorizationCodeProvider(),
                RefreshTokenProvider=new RefreshTokenProvider(),
                ApplicationCanDisplayErrors=true,
               
#if DEBUG
                //HTTPS is allowed only AllowInsecureHttp = false
                AllowInsecureHttp=true,
#endif
            });

p站的 Authorize

 public ActionResult Authorize()
        {
            //是否要求必须用户显示授权 弹出确认授权的页面
            var userGrant = ConfigurationManager.AppSettings["oAuthUserGrant"]=="1";

            IAuthenticationManager authentication = HttpContext.GetOwinContext().Authentication;
            AuthenticateResult ticket = authentication.AuthenticateAsync(Paths.AuthenticationType).Result;
            ClaimsIdentity identity = ticket?.Identity;

            if (identity==null)
            {
                //如果没有验证通过,则必须先通过身份验证,跳转到验证方法
                authentication.Challenge(Paths.AuthenticationType);
                return new HttpUnauthorizedResult();
            }

            if (Request.HttpMethod!="POST"&&userGrant)
            {
                return View();
            }

            //返回给其它系统的用户身份只是在当前系统内的身份基础上增加了role
            identity=new ClaimsIdentity(identity.Claims, "Bearer");

            //hardcode添加一些Claim,正常是从数据库中根据用户ID来查找添加
            identity.AddClaim(new Claim(ClaimTypes.Role, "GetUserInfo"));
         
            authentication.SignIn(new AuthenticationProperties() { IsPersistent=true }, identity);
            return View();
        }

 

w站的 OAuthLoginCallBack,此处很简单,AxOAuth2AuthenticationHandler 已经把其它工作做完了

 [AllowAnonymous]
        public ActionResult OAuthLoginCallBack(string returnUrl)
        {
            return Redirect(returnUrl??"/");
        }

 

 

AxOAuth2AuthenticationHandler 中的另两个主要函数,其它内容请参照Microsoft.Owin.Security.Google

 private async Task<bool> InvokeReplyPathAsync()
        {
            if (Options.CallbackPath.HasValue && Options.CallbackPath == Request.Path)
            {
                // TODO: error responses
                //会调用下方的函数
                var ticket = await AuthenticateAsync();
                if (ticket == null)
                {
                    _logger.WriteWarning("Invalid return state, unable to redirect.");
                    Response.StatusCode = 500;
                    return true;
                }

                var context = new AxOAuth2ReturnEndpointContext(Context, ticket);
                context.SignInAsAuthenticationType = Options.SignInAsAuthenticationType;
                context.RedirectUri = ticket.Properties.RedirectUri;

                await Options.Provider.ReturnEndpoint(context);

//已经设置了type,则会登录,就不再需要callback中去实现登录了
if (context.SignInAsAuthenticationType != null && context.Identity != null) { var grantIdentity = context.Identity; if ( !string.Equals(grantIdentity.AuthenticationType, context.SignInAsAuthenticationType, StringComparison.Ordinal)) { grantIdentity = new ClaimsIdentity(grantIdentity.Claims, context.SignInAsAuthenticationType, grantIdentity.NameClaimType, grantIdentity.RoleClaimType); } Context.Authentication.SignIn(context.Properties, grantIdentity); }
//下方的RedirectUri 是在当处那个Login中记录的
if (!context.IsRequestCompleted && context.RedirectUri != null) { var redirectUri = context.RedirectUri; if (context.Identity == null) { // add a redirect hint that sign-in failed in some way redirectUri = WebUtilities.AddQueryString(redirectUri, "error", "access_denied"); } Response.Redirect(redirectUri); context.RequestCompleted(); } return context.IsRequestCompleted; } return false; }

 

        protected override async Task<AuthenticationTicket> AuthenticateCoreAsync()
        {
            AuthenticationProperties properties = null;

            try
            {
                string code = null;
                string state = null;

                var query = Request.Query;
                var values = query.GetValues("code");
                if (values != null && values.Count == 1)
                {
                    code = values[0];
                }
                values = query.GetValues("state");
                if (values != null && values.Count == 1)
                {
                    state = values[0];
                }

                properties = Options.StateDataFormat.Unprotect(state);
                if (properties == null)
                {
                    return null;
                }

                // OAuth2 10.12 CSRF
                if (!ValidateCorrelationId(properties, _logger))
                {
                    return new AuthenticationTicket(null, properties);
                }

                var requestPrefix = Request.Scheme + "://" + Request.Host;
                var redirectUri = requestPrefix + Request.PathBase + Options.CallbackPath;

                // Build up the body for the token request
                var body = new List<KeyValuePair<string, string>>();
                body.Add(new KeyValuePair<string, string>("grant_type", "authorization_code"));
                body.Add(new KeyValuePair<string, string>("code", code));
                body.Add(new KeyValuePair<string, string>("redirect_uri", redirectUri));
                body.Add(new KeyValuePair<string, string>("client_id", Options.ClientId));
                body.Add(new KeyValuePair<string, string>("client_secret", Options.ClientSecret));

                // Request the token from p 
                var tokenResponse =
                    await _httpClient.PostAsync(Options.TokenEndpoint, new FormUrlEncodedContent(body));
                tokenResponse.EnsureSuccessStatusCode();
                var text = await tokenResponse.Content.ReadAsStringAsync();

                // Deserializes the token response
                var response = JObject.Parse(text);
                var accessToken = response.Value<string>("access_token");

                if (string.IsNullOrWhiteSpace(accessToken))
                {
                    _logger.WriteWarning("Access token was not found");
                    return new AuthenticationTicket(null, properties);
                }

                // Get the user from u
                var request = new HttpRequestMessage(HttpMethod.Get, Options.UserInfoEndpoint);
                request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
                var graphResponse = await _httpClient.SendAsync(request, Request.CallCancelled);
                graphResponse.EnsureSuccessStatusCode();
                text = await graphResponse.Content.ReadAsStringAsync();
                var user = JsonSerializeHelper.Deserialize<UserInfo>(text);

                var context = new AxOAuth2AuthenticatedContext(Context, user, response);
                context.Identity = new ClaimsIdentity(Options.AuthenticationType,ClaimsIdentity.DefaultNameClaimType,ClaimsIdentity.DefaultRoleClaimType);
                context.Identity.AddClaim(new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "ASP.NET Identity"));

                if (!string.IsNullOrEmpty(user.Id))
                {
                    context.Identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.Id,
                        ClaimValueTypes.String, Options.AuthenticationType));
                }
                if (!string.IsNullOrEmpty(user.Name))
                {
                    context.Identity.AddClaim(new Claim(ClaimTypes.Name, user.Name, ClaimValueTypes.String,
                        Options.AuthenticationType));
                }
                if (!string.IsNullOrEmpty(user.Email))
                {
                    context.Identity.AddClaim(new Claim(ClaimTypes.Email, user.Email, ClaimValueTypes.String,
                        Options.AuthenticationType));
                }
               
                context.Properties = properties;

                await Options.Provider.Authenticated(context);

                return new AuthenticationTicket(context.Identity, context.Properties);
            }
            catch (Exception ex)
            {
                _logger.WriteError("Authentication failed", ex);
                return new AuthenticationTicket(null, properties);
            }
        }

 

u站 Startup.Auth.cs

app.UseOAuthBearerAuthentication(new Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationOptions());

在需要控制权限的地方加上[Authorize] 

配置webconfig中的machineKey和p站相同,则可以解密获取到access_token当中的用户信息

 

利用oauth2.0 实现内部的统一身份认证,从开始到现在能全程走通,走了很多弯路,希望能对需要了解这一块的朋友有所帮助,利用工作间隙的时间写的,比较乱,有的地方还需要完善,请谅解。

有任何疑问请留言,一起学习。

 

以上是关于Microsoft.Owin.Security 自定义AuthenticationHandler 实现oauth2 的授权码模式的主要内容,如果未能解决你的问题,请参考以下文章

扩展 Microsoft.Owin.Security

序列包含多个元素 Microsoft.Owin.Security.AuthenticationManager

Owin,在Authentication Request中传递自定义查询参数

ASP.NET Microsoft OWIN 令牌变得无效

Owin cookie身份验证设置cookie未保存在浏览器中

在WebApi中基于Owin OAuth使用授权发放Token