3

我有 3 个应用程序;OAuth 2.0 生成令牌的身份验证服务器、请求令牌的 OAuth 客户端、提供 Restful API 的 OAuth 资源服务器。这些都是 MVC 3 Web 应用程序。我的问题是如何验证从客户端到达 OAuth 资源服务器的访问令牌?例如,OAuth 客户端收到来自 OAuth 服务器的带有访问令牌的响应。然后客户端在向 OAuth 资源服务器发出请求以调用 API 函数之一之前将此令牌添加到标头中。即使我可以在 headers[Authentication] 中看到访问令牌,我也找不到验证此令牌的方法。因为我使用 MVC3 通过 Area 设计 Restful API,所以我不能使用下面的函数,它与 SOAP Web 服务一起使用。

private static IPrincipal VerifyOAuth2(HttpRequestMessageProperty httpDetails, Uri requestUri, params string[] requiredScopes) {
        // for this sample where the auth server and resource server are the same site,
        // we use the same public/private key.
        using (var signing = PixidoRest.MvcApplication.CreateAuthorizationServerSigningServiceProvider())
        {
            using (var encrypting = PixidoRest.MvcApplication.CreateResourceServerEncryptionServiceProvider())
            {
                var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(signing, encrypting));
                return resourceServer.GetPrincipal(httpDetails, requestUri, requiredScopes);
            }
        }
    }

因为我无法路径“HttpRequestMessageProperty”,所以我被困在那里以验证我从客户端收到的 AccesToken。如何在 MVC 3 Restful API 应用程序上验证这一点作为 OAuth 客户端的资源服务器?

这是我的其他代码:

internal static RSACryptoServiceProvider CreateResourceServerEncryptionServiceProvider()
    {
        var resourceServerEncryptionServiceProvider = new RSACryptoServiceProvider();
        resourceServerEncryptionServiceProvider.ImportParameters(ResourceServerEncryptionPrivateKey);
        return resourceServerEncryptionServiceProvider;
    }

    /// <summary>
    /// Creates the crypto service provider for the authorization server that contains the public key used to verify an access token signature.
    /// </summary>
    /// <returns>An RSA crypto service provider.</returns>
    internal static RSACryptoServiceProvider CreateAuthorizationServerSigningServiceProvider()
    {
        var authorizationServerSigningServiceProvider = new RSACryptoServiceProvider();
        authorizationServerSigningServiceProvider.ImportParameters(AuthorizationServerSigningPublicKey);
        return authorizationServerSigningServiceProvider;
    }

public class RequireAuthorization : ActionFilterAttribute
{
    public string Scope { get; set; }

    public override void OnActionExecuting(ActionExecutingContext actionContext)
    {
        string[] scope = null;
        if (!string.IsNullOrEmpty(Scope))
        {
            scope = Scope.Split(new[] { "," }, StringSplitOptions.RemoveEmptyEntries);
        }

        var query = actionContext.RequestContext.HttpContext.Request;
        var req = actionContext.HttpContext;
        var authvalue = query.Headers["Authorization"];
        OAuthAuthorizationManager.VerifyOAuth2(query, query.Url.AbsoluteUri);
        //var response = new HttpResponseMessageProperty()
        //{
           //here is my question.
        //};


        base.OnActionExecuting(actionContext);

        //redirect page to
        //if (CheckUrCondition)
        //{
        //actionContext.Result = new RedirectToRouteResult(new RouteValueDictionary(new
        //{
        //    controller = "Home",
        //    action = "Index"
        //}));
        ////}
    }

提前致谢。

4

1 回答 1

3

我遇到了同样的问题,并提出了以下适用于我的自定义 Authorize 属性。请注意,我的示例依赖于通过依赖注入注入的 ResourceServer 属性。当然,你也可以让它指向一个静态实例。

using System;
using System.Threading;
using System.Web;
using System.Web.Mvc;

using DotNetOpenAuth.Messaging;
using DotNetOpenAuth.OAuth2;

/// <summary>
/// Allows authorization to be applied to ASP.NET MVC methods where OAuth is used as the authorization mechanism.
/// </summary>
public class OAuthAuthorizeAttribute : AuthorizeAttribute
{
    /// <summary>
    /// Gets or sets the resource server that will be used to process the access token
    /// that will be used to authorized.
    /// </summary>
    /// <value>
    /// The resource server.
    /// </value>
    /// <remarks>
    /// This property will most likely be set using dependency-injection.
    /// </remarks>
    public ResourceServer ResourceServer { get; set; }

    /// <summary>
    /// Gets or sets the scopes.
    /// </summary>
    /// <value>
    /// The required scopes.
    /// </value>
    /// <remarks>
    /// Multiple scopes can be used by separating them with spaces.
    /// </remarks>
    public string Scopes { get; set; }

    /// <summary>
    /// When overridden, provides an entry point for custom authorization checks.
    /// </summary>
    /// <param name="httpContext">The HTTP context, which encapsulates all HTTP-specific information about an individual HTTP request.</param>
    /// <returns>
    /// true if the user is authorized; otherwise, false.
    /// </returns>
    /// <exception cref="System.InvalidOperationException">Thrown when the <see cref="ResourceServer"/> property is <c>null</c>.</exception>
    /// <exception cref="System.InvalidOperationException">Thrown when the <see cref="Scopes"/> property is <c>null</c>.</exception>
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (this.ResourceServer == null)
        {
            throw new InvalidOperationException("The ResourceServer property must not be null.");
        }

        try
        {
            this.StorePrincipalFromAccessToken(httpContext);

            return this.AccessTokenIsAuthorizedForRequestedScopes();
        }
        catch (ProtocolException)
        {
            return false;
        }
    }

    /// <summary>
    /// Processes HTTP requests that fail authorization.
    /// </summary>
    /// <param name="filterContext">Encapsulates the information for using <see cref="T:System.Web.Mvc.AuthorizeAttribute" />. The <paramref name="filterContext" /> object contains the controller, HTTP context, request context, action result, and route data.</param>
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        filterContext.Result = new HttpUnauthorizedResult();
    }

    /// <summary>
    /// Stores the principal contained in the current access token.
    /// </summary>
    /// <param name="httpContext">The HTTP context.</param>
    protected virtual void StorePrincipalFromAccessToken(HttpContextBase httpContext)
    {
        httpContext.User = this.ResourceServer.GetPrincipal();
        Thread.CurrentPrincipal = httpContext.User;
    }

    /// <summary>
    /// Check if the access token provided is authorized for the requested scopes.
    /// </summary>
    /// <returns></returns>
    protected virtual bool AccessTokenIsAuthorizedForRequestedScopes()
    {
        return OAuthUtilities.SplitScopes(this.Scopes ?? string.Empty).IsSubsetOf(this.ResourceServer.GetAccessToken().Scope);
    }
}

您现在可以按如下方式使用此属性:

using System.Web.Mvc;

public class DemoController : Controller
{
    [OAuthAuthorize(Scopes = "public")]
    public ActionResult Index()
    {
        return this.View();
    }
}
于 2013-03-28T07:51:38.983 回答