asp.net-mvc – 使用JWT实现的最小WebAPI2 OAuth:401始终返回

前端之家收集整理的这篇文章主要介绍了asp.net-mvc – 使用JWT实现的最小WebAPI2 OAuth:401始终返回前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我正在尝试使用JWT令牌实现一个简单的WebAPI2项目来保护我的API函数.由于我对此很陌生,我主要关注这些教程作为指导: http://bitoftech.net/2015/01/21/asp-net-identity-2-with-asp-net-web-api-2-accounts-management/,其代码分别为 https://github.com/tjoudeh/AspNetIdentity.WebApihttp://odetocode.com/blogs/scott/archive/2015/01/15/using-json-web-tokens-with-katana-and-webapi.aspx.

编辑#1:请参阅底部:client_id = null的已解决问题.

当然,我的实现中有一些细节发生了变化,这在我学习时应该是最小的,而且我当前的要求并不复杂:我不使用第三方JWT或安全库(如Thinktecture或Jamie Kurtz JwtAuthForWebAPI),但只是坚持使用MS JWT组件,我也不需要2FA或外部登录,因为这将是由管理员注册用户使用的客户端应用程序所使用的公司API.

我设法实现了一个返回JWT令牌的API,但是当我向任何受保护的API发出请求时(当然,未受保护的API确实有效),请求会因401-Unauthorized错误而被拒绝. api / token端点的示例请求/响应如下所示:

请求:

POST http://localhost:50505/token HTTP/1.1
Host: localhost:50505
Connection: keep-alive
Content-Length: 56
Accept: application/json,text/plain,*/*
Origin: http://localhost:50088
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/41.0.2272.118 Safari/537.36
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Referer: http://localhost:50088/dist/
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.8,it;q=0.6

grant_type=password&username=Zeus&password=ThePasswordHere

响应:

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 343
Content-Type: application/json;charset=UTF-8
Expires: -1
Server: Microsoft-IIS/8.0
Access-Control-Allow-Origin: http://localhost:50088
Access-Control-Allow-Credentials: true
X-SourceFiles: =?UTF-8?B?QzpcUHJvamVjdHNcNDViXEV4b1xJYW5pdG9yXElhbml0b3IuV2ViQXBpXHRva2Vu?=
X-Powered-By: ASP.NET
Date: Mon,13 Apr 2015 22:16:50 GMT

{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1bmlxdWVfbmFtZSI6IlpldXMiLCJyb2xlIjoiYWRtaW5pc3RyYXRvciIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTA1MDUiLCJhdWQiOiIwZDQ1ZTljZWM4MzY0NmI2YTE3Mzg0N2VjOWM5NmY3ZiIsImV4cCI6MTQyOTA0OTgwOSwibmJmIjoxNDI4OTYzNDA5fQ.-GFvtEfNI7Y8tf6Ln1MpxJc4yORuf2gzksGjRbSMEnU","token_type":"bearer","expires_in":86399}

如果我检查令牌(在http://jwt.io/),我得到JWT有效负载的JSON:

{
  "unique_name": "Zeus","role": "administrator","iss": "http://localhost:50505","aud": "0d45e9cec83646b6a173847ec9c96f7f","exp": 1429049809,"nbf": 1428963409
}

然而,任何具有类似令牌的请求(这里是样本模板中使用的’规范’API ValuesController),就像这样(我省略了正确发布的预检OPTIONS CORS请求):

GET http://localhost:50505/api/values HTTP/1.1
Host: localhost:50505
Connection: keep-alive
Accept: application/json,like Gecko) Chrome/41.0.2272.118 Safari/537.36
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1bmlxdWVfbmFtZSI6IlpldXMiLCJyb2xlIjoiYWRtaW5pc3RyYXRvciIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTA1MDUiLCJhdWQiOiIwZDQ1ZTljZWM4MzY0NmI2YTE3Mzg0N2VjOWM5NmY3ZiIsImV4cCI6MTQyOTA4MzAzOCwibmJmIjoxNDI4OTk2NjM4fQ.i5ik6ggSzoV2Nz-1_Od5fZVKxBpgOmEJcQN00YsG_DU
Referer: http://localhost:50088/dist/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,it;q=0.6

401失败了:

HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.0
Access-Control-Allow-Origin: http://localhost:50088
Access-Control-Allow-Credentials: true
X-AspNet-Version: 4.0.30319
X-SourceFiles: =?UTF-8?B?QzpcUHJvamVjdHNcNDViXEV4b1xJYW5pdG9yXElhbml0b3IuV2ViQXBpXGFwaVx2YWx1ZXM=?=
X-Powered-By: ASP.NET
Date: Tue,14 Apr 2015 07:30:53 GMT
Content-Length: 61

{"message":"Authorization has been denied for this request."}

鉴于对于像我这样的安全新手来说这是一个相当复杂的话题,接下来我将描述我的解决方案的基本方面,以便专家能够指出我的解决方案,新人可以找到一些最新的指导.

数据层

我使用EntityFramework在单独的DLL项目中创建了我的数据层,并包括我的IdentityDbContext派生的数据上下文及其实体(用户和受众). User实体只是为名字和姓氏添加了几个字符串属性.受众实体用于为多个受众提供基础设施;它有一个ID(一个由字符串属性表示的GUID),一个名称(仅用于提供人性化的标签)和一个base-64编码的共享密钥.

使用迁移我创建了数据库并将其与管理员用户和测试受众一起播种.

Web API

1.启动模板

我创建了一个空的WebApp项目,包括WebAPI库,没有用户身份验证,因为默认的身份验证模板对于我的有限用途而言过于臃肿,并且对于学习者来说过于活跃的部分.我手动添加了所需的NuGet包,最后是:

EntityFramework
Microsoft.AspNet.Identity.EntityFramework
Microsoft.AspNet.Cors
Microsoft.AspNet.Identity.Owin
Microsoft.AspNet.WebApi
Microsoft.AspNet.WebApi.Client
Microsoft.AspNet.WebApi.Core
Microsoft.AspNet.WebApi.Owin
Microsoft.AspNet.WebApi.WebHost
Microsoft.Owin
Microsoft.Owin.Cors
Microsoft.Owin.Host.SystemWeb
Microsoft.Owin.Security
Microsoft.Owin.Security.Cookies
Microsoft.Owin.Security.Jwt
Microsoft.Owin.Security.OAuth
Newtonsoft.Json
Owin
System.IdentityModel.Tokens.Jwt

2.基础设施

至于基础设施,我创建了一个相当标准的ApplicationUserManager(在我的情况下,底层的提供者不是必需的,但我将其添加为其他项目的提醒):

public class ApplicationUserManager : UserManager<User>
{
    public ApplicationUserManager(IUserStore<User> store)
        : base(store)
    {
    }

    public static ApplicationUserManager Create(
        IdentityFactoryOptions<ApplicationUserManager> options,IOwinContext context)
    {
        var manager = new ApplicationUserManager
            (new UserStore<User>(context.Get<IanitorContext>()));

        manager.UserValidator = new UserValidator<User>(manager)
        {
            AllowOnlyAlphanumericUserNames = false,RequireUniqueEmail = true
        };

        manager.PasswordValidator = new PasswordValidator
        {
            requiredLength = 6,RequireNonLetterOrDigit = true,requiredigit = true,RequireLowercase = true,RequireUppercase = true,};

        manager.UserLockoutEnabledByDefault = true;
        manager.DefaultAccountLockoutTimeSpan = TimeSpan.FromMinutes(5);
        manager.MaxFailedAccessAttemptsBeforeLockout = 5;

        var dataProtectionProvider = options.DataProtectionProvider;
        if (dataProtectionProvider != null)
        {
            // for email confirmation and reset password life time
            manager.UserTokenProvider =
                new DataProtectorTokenProvider<User>(dataProtectionProvider.Create("ASP.NET Identity"))
                {
                    TokenLifespan = TimeSpan.FromHours(6)
                };
        }
        return manager;
    }

3.供应商

另外,我需要一个OAuth令牌提供程序:AFAIK,这里的核心方法是GrantResourceOwnerCredentials,它验证我的商店收到的用户名和密码;当这成功时,我创建一个新的ClaimsIdentity并用我想要在我的令牌中发布的经过身份验证的用户声明填充它;然后,我使用此加上一些元数据属性(此处为受众标识)来创建AuthenticationTicket,并将其传递给context.Validated方法

public class ApplicationOAuthProvider : OAuthAuthorizationServerProvider
{
    public override Task ValidateClientAuthentication
        (OAuthValidateClientAuthenticationContext context)
    {
        context.Validated();
        return Task.FromResult<object>(null);
    }

    public override async Task GrantResourceOwnerCredentials
        (OAuthGrantResourceOwnerCredentialsContext context)
    {
        // http://www.codeproject.com/Articles/742532/Using-Web-API-Individual-User-Account-plus-CORS-En
        if (!context.OwinContext.Response.Headers.ContainsKey("Access-Control-Allow-Origin"))
            context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin",new []{"*"});

        if ((String.IsNullOrWhiteSpace(context.UserName)) || 
            (String.IsNullOrWhiteSpace(context.Password)))
        {
            context.Rejected();
            return;
        }

        ApplicationUserManager manager = 
            context.OwinContext.GetUserManager<ApplicationUserManager>();
        User user = await manager.FindAsync(context.UserName,context.Password);
        if (user == null)
        {
            context.Rejected();
            return;
        }

        // add selected claims for building the token
        ClaimsIdentity identity = new ClaimsIdentity(context.Options.AuthenticationType);
        identity.AddClaim(new Claim(ClaimTypes.Name,user.UserName));
        foreach (var role in manager.GetRoles(user.Id))
            identity.AddClaim(new Claim(ClaimTypes.Role,role));

        // add audience
        // TODO: why context.ClientId is null? I would expect an audience ID
        AuthenticationProperties props =
            new AuthenticationProperties(new Dictionary<string,string>
            {
                {
                    ApplicationJwtFormat.AUDIENCE_PROPKEY,context.ClientId ?? ConfigurationManager.AppSettings["audienceId"]
                }
            });

        DateTime now = DateTime.UtcNow;
        props.IssuedUtc = now;
        props.ExpiresUtc = now.AddMinutes(context.Options.AccessTokenExpireTimeSpan.TotalMinutes);

        AuthenticationTicket ticket = new AuthenticationTicket(identity,props);
        context.Validated(ticket);
    }
}

这里的第一个问题是,在调试时我可以看到接收的上下文客户端ID为空.我不确定应该在哪里设置.这就是为什么我在这里回到默认的受众ID(足够我的测试目的,一次吃一口大象).

这里的另一个关键组件是JWT令牌格式化程序,它负责从故障单构建JWT令牌.在我的实现中,我在其构造函数中注入一个函数来检索我的EF数据上下文,因为格式化程序需要它来获取受众的密钥.所需的受众标识来自上述代码设置的元数据属性,用于查找受众实体的商店.如果没有找到,我会回到我的Web.config中定义的默认受众(这是我使用的测试客户端应用程序).一旦我拥有了受众密钥,我就可以为令牌创建签名凭据,并将其与来自上下文的数据一起使用来构建我的JWT.

public class ApplicationJwtFormat : ISecureDataFormat<AuthenticationTicket>
{
    private readonly Func<IanitorContext> _contextGetter;
    private string _sIssuer;
    public const string AUDIENCE_PROPKEY = "audience";

    private const string SIGNATURE_ALGORITHM = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256";
    private const string DIGEST_ALGORITHM = "http://www.w3.org/2001/04/xmlenc#sha256";

    public string Issuer
    {
        get { return _sIssuer; }
        set
        {
            if (value == null) throw new ArgumentNullException("value");
            _sIssuer = value;
        }
    }

    public ApplicationJwtFormat(Func<IanitorContext> contextGetter)
    {
        if (contextGetter == null) throw new ArgumentNullException("contextGetter");

        _contextGetter = contextGetter;
        Issuer = "http://localhost:50505";
    }

    public string Protect(AuthenticationTicket data)
    {
        if (data == null) throw new ArgumentNullException("data");

        // get the audience ID from the ticket properties (as set by ApplicationOAuthProvider
        // GrantResourceOwnerCredentials from its OAuth client ID)
        string sAudienceId = data.Properties.Dictionary.ContainsKey(AUDIENCE_PROPKEY)
            ? data.Properties.Dictionary[AUDIENCE_PROPKEY]
            : null;

        // get audience data
        Audience audience;
        using (IanitorContext db = _contextGetter())
        {
            audience = db.Audiences.FirstOrDefault(a => a.Id == sAudienceId) ??
                new Audience
                {
                    Id = ConfigurationManager.AppSettings["audienceId"],Name = ConfigurationManager.AppSettings["audienceName"],Base64Secret = ConfigurationManager.AppSettings["audienceSecret"]
                };
        }

        byte[] key = TextEncodings.Base64Url.Decode(audience.Base64Secret);

        DateTimeOffset? issued = data.Properties.IssuedUtc ?? 
            new DateTimeOffset(DateTime.UtcNow);
        DateTimeOffset? expires = data.Properties.ExpiresUtc;

        SigningCredentials credentials = new SigningCredentials(
            new InMemorySymmetricSecurityKey(key),SIGNATURE_ALGORITHM,DIGEST_ALGORITHM);

        JwtSecurityToken token = new JwtSecurityToken(_sIssuer,audience.Id,data.Identity.Claims,issued.Value.UtcDateTime,expires.Value.UtcDateTime,credentials);

        return new JwtSecurityTokenHandler().WriteToken(token);
    }

    public AuthenticationTicket Unprotect(string protectedText)
    {
        throw new NotImplementedException();
    }
}

4.启动

最后,将事物粘合在一起的启动代码:Application_Start中的Global.asax代码只是一个方法调用:GlobalConfiguration.Configure(WebApiConfig.Register);,它调用典型的WebAPI路由设置代码,只增加几个附加内容身份验证和返回驼峰式JSON:

public static void Register(HttpConfiguration config)
    {
        // Configure Web API to use only bearer token authentication.
        config.SuppressDefaultHostAuthentication();

        // Use camel case for JSON data
        config.Formatters.JsonFormatter.SerializerSettings.ContractResolver =
            new CamelCasePropertyNamesContractResolver();

        // Web API routes
        config.MapHttpAttributeRoutes();

        config.Routes.MapHttpRoute(
            name: "DefaultApi",routeTemplate: "api/{controller}/{id}",defaults: new { id = RouteParameter.Optional }
        );
    }

OWIN启动配置OWIN中间件:

public partial class Startup
{
    public void Configuration(IAppBuilder app)
    {
        HttpConfiguration config = new HttpConfiguration();

        app.UseCors(CorsOptions.AllowAll);
        app.UseWebApi(config);

        ConfigureAuth(app);
    }
}

基本配置在ConfigureAuth方法中,按照模板约定在一个单独的文件中(App_Start / Startup.Auth.cs):这有一些OAuth和JWT的选项包装类.请注意,对于JWT,我通过从商店获取配置为配置添加多个受众.在ConfigureAuth中,我为OWIN配置依赖项,以便它可以获取所需对象的实例(EF数据上下文以及用户和角色管理器),然后使用指定的选项设置OAuth和JWT.

public partial class Startup
{
    public static OAuthAuthorizationServerOptions OAuthOptions { get; private set; }
    public static JwtBearerAuthenticationOptions JwtOptions { get; private set; }

    static Startup()
    {
        string sIssuer = ConfigurationManager.AppSettings["issuer"];

        OAuthOptions = new OAuthAuthorizationServerOptions
        {
            TokenEndpointPath = new PathString("/token"),AuthorizeEndpointPath = new PathString("/accounts/authorize"),// not used
            Provider = new ApplicationOAuthProvider(),AccessTokenExpireTimeSpan = TimeSpan.FromHours(24),AccessTokenFormat = new ApplicationJwtFormat(IanitorContext.Create)
            {
                Issuer = sIssuer
            },AllowInsecureHttp = true   // do not allow in production
        };

        List<string> aAudienceIds = new List<string>();
        List<IIssuerSecurityTokenProvider> aProviders = 
            new List<IIssuerSecurityTokenProvider>();

        using (var context = IanitorContext.Create())
        {
            foreach (Audience audience in context.Audiences)
            {
                aAudienceIds.Add(audience.Id);
                aProviders.Add(new SymmetricKeyIssuerSecurityTokenProvider
                    (sIssuer,TextEncodings.Base64Url.Decode(audience.Base64Secret)));
            }
        }

        JwtOptions = new JwtBearerAuthenticationOptions
        {
            AllowedAudiences = aAudienceIds.ToArray(),IssuerSecurityTokenProviders = aProviders.ToArray()
        };
    }

    public void ConfigureAuth(IAppBuilder app)
    {
        app.CreatePerOwinContext(IanitorContext.Create);
        app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
        app.CreatePerOwinContext<ApplicationRoleManager>(ApplicationRoleManager.Create);

        app.USEOAuthAuthorizationServer(OAuthOptions);
        app.UseJwtBearerAuthentication(JwtOptions);
    }
}

编辑#1 – client_id

在查看几个示例时,我在ApplicationOAuthProvider中使用此代码结束:

public override Task ValidateClientAuthentication
    (OAuthValidateClientAuthenticationContext context)
{
    // http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/

    string sClientId;
    string sClientSecret;

    if (!context.TryGetBasicCredentials(out sClientId,out sClientSecret))
        context.TryGetFormCredentials(out sClientId,out sClientSecret);

    if (context.ClientId == null)
    {
        context.SetError("invalid_clientId","client_Id is not set");
        return Task.FromResult<object>(null);
    }

    IanitorContext db = context.OwinContext.Get<IanitorContext>();
    Audience audience = db.Audiences.FirstOrDefault(a => a.Id == context.ClientId);

    if (audience == null)
    {
        context.SetError("invalid_clientId",String.Format(CultureInfo.InvariantCulture,"Invalid client_id '{0}'",context.ClientId));
        return Task.FromResult<object>(null);
    }

    context.Validated();
    return Task.FromResult<object>(null);
}

在进行验证时,我会进行实际检查,以便从请求的正文中检索client_id,在我的受众商店中查找,并在找到时进行验证.这似乎解决了上面提到的问题,所以现在我在GrantResourceOwnerCredentials中获得了一个非空客户端ID;我还可以检查JWT内容并在aud下找到预期的ID.然而,在通过收到的令牌传递任何请求时,我一直收到401,例如:

HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.0
Access-Control-Allow-Origin: http://localhost:50088
Access-Control-Allow-Credentials: true
X-AspNet-Version: 4.0.30319
X-SourceFiles: =?UTF-8?B?RDpcUHJvamVjdHNcNDViXEV4b1xJYW5pdG9yXElhbml0b3IuV2ViQXBpXGFwaVx2YWx1ZXM=?=
X-Powered-By: ASP.NET
Date: Wed,22 Apr 2015 18:05:47 GMT
Content-Length: 61

{"message":"Authorization has been denied for this request."}

解决方法

我自己实现了JWT OAuth身份验证(带有承载令牌).
我认为你绝对可以使你的代码更轻松.

这是我发现的关于如何使用OAuth JWT保护Web API的基础知识的最佳帖子.

我暂时没有时间进一步解决你的问题.祝好运!

http://chimera.labs.oreilly.com/books/1234000001708/ch16.html#_resource_server_and_authorization_server

另外:

http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api

猜你在找的asp.Net相关文章