如何在 OAuth 资源服务器中验证访问令牌

Posted 2023-03-04

【中文标题】如何在 OAuth 资源服务器中验证访问令牌

【英文标题】：How to authenticate Access Token in OAuth Resource Server

【发布时间】：2012-08-28 16:19:18

【问题描述】：

我有 3 个应用程序； OAuth 2.0 生成令牌的身份验证服务器、请求令牌的 OAuth 客户端、提供 Restful API 的 OAuth 资源服务器。这些都是 MVC 3 Web 应用程序。 我的问题是如何验证从客户端到达 OAuth 资源服务器的访问令牌？ 例如，OAuth 客户端收到来自 OAuth 服务器的带有访问令牌的响应。然后客户端在向 OAuth 资源服务器发出请求以调用 API 函数之一之前将此令牌添加到标头中。 即使我可以在 headers[Authentication] 中看到访问令牌，我也找不到验证此令牌的方法。 因为我使用MVC3通过Area设计Restful API，所以我不能使用下面的函数，它与SOAP Web服务一起使用。

private static IPrincipal VerifyOAuth2(HttpRequestMessageProperty httpDetails, Uri requestUri, params string[] requiredScopes) 
        // for this sample where the auth server and resource server are the same site,
        // we use the same public/private key.
        using (var signing = PixidoRest.MvcApplication.CreateAuthorizationServerSigningServiceProvider())
        
            using (var encrypting = PixidoRest.MvcApplication.CreateResourceServerEncryptionServiceProvider())
            
                var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(signing, encrypting));
                return resourceServer.GetPrincipal(httpDetails, requestUri, requiredScopes);
            
        
    

因为我无法路径“HttpRequestMessageProperty”，所以我被困在那里以验证我从客户端收到的 AccesToken。如何在 MVC 3 Restful API 应用程序上将其作为 OAuth 客户端的资源服务器进行验证？

这是我的其他代码：

internal static RSACryptoServiceProvider CreateResourceServerEncryptionServiceProvider()
    
        var resourceServerEncryptionServiceProvider = new RSACryptoServiceProvider();
        resourceServerEncryptionServiceProvider.ImportParameters(ResourceServerEncryptionPrivateKey);
        return resourceServerEncryptionServiceProvider;
    

    /// <summary>
    /// Creates the crypto service provider for the authorization server that contains the public key used to verify an access token signature.
    /// </summary>
    /// <returns>An RSA crypto service provider.</returns>
    internal static RSACryptoServiceProvider CreateAuthorizationServerSigningServiceProvider()
    
        var authorizationServerSigningServiceProvider = new RSACryptoServiceProvider();
        authorizationServerSigningServiceProvider.ImportParameters(AuthorizationServerSigningPublicKey);
        return authorizationServerSigningServiceProvider;
    

public class RequireAuthorization : ActionFilterAttribute

    public string Scope  get; set; 

    public override void OnActionExecuting(ActionExecutingContext actionContext)
    
        string[] scope = null;
        if (!string.IsNullOrEmpty(Scope))
        
            scope = Scope.Split(new[]  "," , StringSplitOptions.RemoveEmptyEntries);
        

        var query = actionContext.RequestContext.HttpContext.Request;
        var req = actionContext.HttpContext;
        var authvalue = query.Headers["Authorization"];
        OAuthAuthorizationManager.VerifyOAuth2(query, query.Url.AbsoluteUri);
        //var response = new HttpResponseMessageProperty()
        //
           //here is my question.
        //;


        base.OnActionExecuting(actionContext);

        //redirect page to
        //if (CheckUrCondition)
        //
        //actionContext.Result = new RedirectToRouteResult(new RouteValueDictionary(new
        //
        //    controller = "Home",
        //    action = "Index"
        //));
        ////
    

提前致谢。

【问题讨论】：

你解决了吗？如果有，请分享！

【参考方案1】：

我遇到了同样的问题，并提出了以下适用于我的自定义 Authorize 属性。请注意，我的示例依赖于通过依赖注入注入的 ResourceServer 属性。当然，你也可以让它指向一个静态实例。

using System;
using System.Threading;
using System.Web;
using System.Web.Mvc;

using DotNetOpenAuth.Messaging;
using DotNetOpenAuth.OAuth2;

/// <summary>
/// Allows authorization to be applied to ASP.NET MVC methods where OAuth is used as the authorization mechanism.
/// </summary>
public class OAuthAuthorizeAttribute : AuthorizeAttribute

    /// <summary>
    /// Gets or sets the resource server that will be used to process the access token
    /// that will be used to authorized.
    /// </summary>
    /// <value>
    /// The resource server.
    /// </value>
    /// <remarks>
    /// This property will most likely be set using dependency-injection.
    /// </remarks>
    public ResourceServer ResourceServer  get; set; 

    /// <summary>
    /// Gets or sets the scopes.
    /// </summary>
    /// <value>
    /// The required scopes.
    /// </value>
    /// <remarks>
    /// Multiple scopes can be used by separating them with spaces.
    /// </remarks>
    public string Scopes  get; set; 

    /// <summary>
    /// When overridden, provides an entry point for custom authorization checks.
    /// </summary>
    /// <param name="httpContext">The HTTP context, which encapsulates all HTTP-specific information about an individual HTTP request.</param>
    /// <returns>
    /// true if the user is authorized; otherwise, false.
    /// </returns>
    /// <exception cref="System.InvalidOperationException">Thrown when the <see cref="ResourceServer"/> property is <c>null</c>.</exception>
    /// <exception cref="System.InvalidOperationException">Thrown when the <see cref="Scopes"/> property is <c>null</c>.</exception>
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    
        if (this.ResourceServer == null)
        
            throw new InvalidOperationException("The ResourceServer property must not be null.");
        

        try
        
            this.StorePrincipalFromAccessToken(httpContext);

            return this.AccessTokenIsAuthorizedForRequestedScopes();
        
        catch (ProtocolException)
        
            return false;
        
    

    /// <summary>
    /// Processes HTTP requests that fail authorization.
    /// </summary>
    /// <param name="filterContext">Encapsulates the information for using <see cref="T:System.Web.Mvc.AuthorizeAttribute" />. The <paramref name="filterContext" /> object contains the controller, HTTP context, request context, action result, and route data.</param>
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    
        filterContext.Result = new HttpUnauthorizedResult();
    

    /// <summary>
    /// Stores the principal contained in the current access token.
    /// </summary>
    /// <param name="httpContext">The HTTP context.</param>
    protected virtual void StorePrincipalFromAccessToken(HttpContextBase httpContext)
    
        httpContext.User = this.ResourceServer.GetPrincipal();
        Thread.CurrentPrincipal = httpContext.User;
    

    /// <summary>
    /// Check if the access token provided is authorized for the requested scopes.
    /// </summary>
    /// <returns></returns>
    protected virtual bool AccessTokenIsAuthorizedForRequestedScopes()
    
        return OAuthUtilities.SplitScopes(this.Scopes ?? string.Empty).IsSubsetOf(this.ResourceServer.GetAccessToken().Scope);
    

您现在可以按如下方式使用此属性：

using System.Web.Mvc;

public class DemoController : Controller

    [OAuthAuthorize(Scopes = "public")]
    public ActionResult Index()
    
        return this.View();