所以...我更早地回答了它,但是我能夠弄明白,沒有重寫授權屬性。我最終看到了OWIN安全代碼的來源。訣竅是,你真的需要2個OWIN中間件組件。其中一個就是我稱之爲的服務器中間件(我從owin源中偷走了這個)。服務器中間件響應挑戰和/或如果你感覺瘋狂爲你生成本地證書。這個中間件也是一個被動中間件組件。除非有人提出要求,否則我不會獲得本地證書,因爲這有點不合時宜,但如果有人認爲這會有所幫助,我可以更新。
public class LowCalorieAuthenticationServerHandler : AuthenticationHandler<LowCalorieAuthenticationServerOptions>
{
//Important this needs to be overriden, but just calls the base.
protected override Task<AuthenticationTicket> AuthenticateCoreAsync()
{
return Task.FromResult<AuthenticationTicket>(null);
}
/// <summary>The apply response challenge async.</summary>
/// <returns>The <see cref="Task"/>.</returns>
protected override async Task ApplyResponseChallengeAsync()
{
if (this.Response.StatusCode != 401)
{
Task.FromResult<object>(null);
return;
}
var challenge = this.Helper.LookupChallenge(
this.Options.AuthenticationType,
this.Options.AuthenticationMode);
if (challenge != null)
{
//OK in here you call the rediret to the 3rd party
//return a redirect to some endpoint
}
Task.FromResult<object>(null);
return;
}
}
反正注意如何倍率AuthenticateCoreAsync()只返回 回報Task.FromResult(NULL); 這是因爲我們不希望此中間件修改請求。 ApplyResponseChallengeAsync將等待挑戰並將您重定向到第三方登錄。如果您想創建某種本地令牌,您可以覆蓋InvokeAsync方法
您需要的第二個中間件是令牌/外部憑證驗證程序。這將以某種方式驗證用戶身份。在OWIN安全性中內置的本地不記名令牌的情況下,它簡單地對令牌進行反序列化,如果可以,並且令牌未過期,則對用戶進行驗證。因此,如果您想使用第三部分sso驗證令牌,例如google或任何其他內容,則可以在此處插入邏輯。在我的情況下,我不僅想打電話給第三方提供商以獲取用戶信息,但要檢查它們的令牌是否仍然適用於單次退出,並防止多個會話。
public class LowCalorieAuthenticationHandler : AuthenticationHandler<LowCalorieAuthenticationOptions>
{
//Going to give you the user for the request.. You Need to do 3 things here
//1. Get the user claim from teh request somehow, either froma header, request string, or cookie what ever you want
//2. validate the user with whatever user store or 3rd party SSO you want
//3. Generate a AuthenticationTicket to send to on to the request, you can use that to see if the user is valid in any Identity collection you want.
protected override async Task<AuthenticationTicket> AuthenticateCoreAsync()
{
//Good to throw in a point of override here.. but to keep it simple-ish
string requestToken = null;
string authorization = Request.Headers.Get("Authorization");
//TOTAL FAKEOUT.. I am going to add a bearer token just so the simple sample works, but your client would have to provide this
authorization = "Bearer 1234567869";
//STEP 1
if (!string.IsNullOrEmpty(authorization) && authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
{
requestToken = authorization.Substring("Bearer ".Length).Trim();
return await FakeExternalBearer(requestToken);
}
return null;
}
private async Task<AuthenticationTicket> FakeExternalBearer(string token)
{
var authenticationType = Options.AuthenticationType;
//pretend to call extenal Resource server to get user //STEP 2
//CallExternal(token)
//Create the AuthTicket from the return.. I will fake it out
var identity = new ClaimsIdentity(
authenticationType,
ClaimsIdentity.DefaultNameClaimType,
ClaimsIdentity.DefaultRoleClaimType);
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier,"user1", null, authenticationType));
identity.AddClaim(new Claim(ClaimTypes.Name, "Jon",null, authenticationType));
var properties = new AuthenticationProperties();
properties.ExpiresUtc = DateTime.UtcNow.AddMinutes(1);
properties.IssuedUtc = DateTime.UtcNow;
var ticket = new AuthenticationTicket(identity, properties);
return ticket;
}
}
好的,我們重寫AuthenticateCoreAsync,但我們現在確實做了一些事情。這是你的用戶認證。這是中間件的ACTIVE部分。請注意它需要返回一個有效的AuthenticationTicket。這將在每個請求上運行,所以要小心你打電話的頻率和頻率。 所以我在這裏有一個非常簡單的例子https://github.com/jzoss/LowCalorieOwin如果有人對更多細節感興趣,請詢問。我可以添加更多。我確實做得太難了,因爲現在我明白了,這很容易,但是如何做到這一點真的沒有好的例子。
我發現只是重寫授權屬性更簡單。我問了一個類似的問題,這個人給了我以下鏈接(BitOfTech.net)。請發佈,如果你得到這個想通了(http://stackoverflow.com/questions/32099027/webapi-token-issuance-authorization) –
@ Mr.B - 嘿檢查我的答案..我終於能夠做到這一點。 –