0
我使用asp.net聲明將敏感信息添加到OAuth承載令牌中。令牌由wep api生成並由客戶端發送給每個請求的api。使用asp.net聲明使用OAuth承載令牌發送敏感信息
下面是上述生成令牌
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
using (var applicationDb = new ApplicationDbContext())
using (var userStore = new UserStore<AppUser>(applicationDb))
{
IApplicationUserService applicationUserService = new ApplicationUserService(userStore, null, null, null);
try
{
var appUser = await applicationUserService.AuthenticateUserAsync(context.UserName, context.Password);
if (appUser == null)
context.SetError("InvalidCredentials", "The email or password that you entered is incorrect.");
else if (!appUser.EmailConfirmed)
context.SetError("EmailVerification", "You must verify your email address before signing in.");
else
{
var roles = applicationUserService.GetUserRoles(appUser.Id);
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim(ClaimTypes.UserId, appUser.Id));
identity.AddClaim(new Claim(ClaimTypes.Roles, string.Join(",", roles.ToArray())));
context.Validated(identity);
}
}
catch (Exception exception)
{
context.SetError("server error", "Server error! Please try again later.");
}
}
}
public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
context.Validated();
}
在代碼的功能,我加入帳戶及作用的權利要求書中所述令牌。我正在使用角色來訪問Web API中的特定信息。
這種方法有多安全?我可以信任令牌中的信息嗎?用戶可以篡改令牌並更改角色嗎?
如果是這樣,我該如何預防呢?我應該使用數據庫重新驗證令牌中的所有信息嗎?