Web API 2 /Token返回更多信息
本文关键字:信息 返回 Token API Web | 更新日期: 2023-09-27 17:50:54
我使用OAuth为我的应用程序生成令牌,特别是JWT。我在我的启动类中有这段代码:
private void ConfigureOAuthTokenGeneration(IAppBuilder app)
{
// Configure the db context and user manager to use a single instance per request
app.CreatePerOwinContext(DatabaseContext.Create);
app.CreatePerOwinContext<UserService>(UserService.Create);
app.CreatePerOwinContext<RoleService>(RoleService.Create);
// Plugin the OAuth bearer JSON Web Token tokens generation and Consumption will be here
var OAuthServerOptions = new OAuthAuthorizationServerOptions()
{
//For Dev enviroment only (on production should be AllowInsecureHttp = false)
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/oauth/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
Provider = new OAuthProvider(),
AccessTokenFormat = new CustomJwtFormat("http://localhost:58127")
};
// OAuth 2.0 Bearer Access Token Generation
app.UseOAuthAuthorizationServer(OAuthServerOptions);
}
正如你所看到的,我已经设置了一个自定义OAuthProvider,对于AccessTokenFormat,我使用的是CustomJwtFormat。OAuthProvider看起来像这样:
public class OAuthProvider : OAuthAuthorizationServerProvider
{
/// <summary>
/// Validate client authentication
/// </summary>
/// <param name="context">The current context</param>
/// <returns></returns>
public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
// Validate all requests (because our front end is trusted)
context.Validated();
// Return nothing
return Task.FromResult<object>(null);
}
/// <summary>
/// Validate user credentials
/// </summary>
/// <param name="context">The current context</param>
/// <returns></returns>
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
// Allow any origin
var allowedOrigin = "*";
// Add the access control allow all to our headers
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { allowedOrigin });
// Get our user service
var service = context.OwinContext.GetUserManager<UserService>();
// Find out user
var user = await service.FindAsync(context.UserName, context.Password);
// If the user is not found
if (user == null)
{
// Set an error
context.SetError("invalid_grant", "The user name or password is incorrect.");
// Return from the function
return;
}
// If the user has not confirmed their account
if (!user.EmailConfirmed)
{
// Set an error
context.SetError("invalid_grant", "User did not confirm email.");
// Return from the function
return;
}
// Generate the identity for the user
var oAuthIdentity = await user.GenerateUserIdentityAsync(service, "JWT");
// Create a new ticket
var ticket = new AuthenticationTicket(oAuthIdentity, null);
// Add the ticked to the validated context
context.Validated(ticket);
}
}
非常直接。此外,CustomJwtFormat类看起来像这样:
/// <summary>
/// JWT Format
/// </summary>
public class CustomJwtFormat : ISecureDataFormat<AuthenticationTicket>
{
// Create our private property
private readonly string issuer;
/// <summary>
/// Default constructor
/// </summary>
/// <param name="issuer">The issuer</param>
public CustomJwtFormat(string issuer)
{
this.issuer = issuer;
}
/// <summary>
/// Method to create our JWT token
/// </summary>
/// <param name="data">The Authentication ticket</param>
/// <returns></returns>
public string Protect(AuthenticationTicket data)
{
// If no data is supplied, throw an exception
if (data == null)
throw new ArgumentNullException("data");
// Get our values from our appSettings
string audienceId = ConfigurationManager.AppSettings["as:AudienceId"];
string symmetricKeyAsBase64 = ConfigurationManager.AppSettings["as:AudienceSecret"];
// Decode our secret and encrypt the bytes
var keyByteArray = TextEncodings.Base64Url.Decode(symmetricKeyAsBase64);
var signingKey = new HmacSigningCredentials(keyByteArray);
// Get our issue and expire dates in UNIX timestamps
var issued = data.Properties.IssuedUtc;
var expires = data.Properties.ExpiresUtc;
// Create our new token
var token = new JwtSecurityToken(this.issuer, audienceId, data.Identity.Claims, issued.Value.UtcDateTime, expires.Value.UtcDateTime, signingKey);
// Create a handler
var handler = new JwtSecurityTokenHandler();
// Write our token string
var jwt = handler.WriteToken(token);
// Return our token string
return jwt;
}
/// <summary>
///
/// </summary>
/// <param name="protectedText"></param>
/// <returns></returns>
public AuthenticationTicket Unprotect(string protectedText)
{
throw new NotImplementedException();
}
}
这是关键的一点。它使用Thinktecture生成令牌。这一行看起来像这样:
// Create our new token
var token = new JwtSecurityToken(this.issuer, audienceId, data.Identity.Claims, issued.Value.UtcDateTime, expires.Value.UtcDateTime, signingKey);
// Create a handler
var handler = new JwtSecurityTokenHandler();
// Write our token string
var jwt = handler.WriteToken(token);
这返回你所期望的令牌(access_token, expires_in和token_type),但我也想返回一些用户信息。如用户名、角色等
有人知道我怎么做这个吗?
用户名和角色出现在经过身份验证的身份声明中,因此保存在通过访问令牌发送回的JWT中。
所以这行:
var token = new JwtSecurityToken(_issuer, audienceId, data.Identity.Claims,issued,expires,signingKey);
插入认证身份的声明:
。如果我在OAuth提供程序中这样做:
' ' '
IList<Claim> claims = new List<Claim>();
if (context.UserName.Equals("spencer") && context.UserName.Equals(context.Password))
{
claims.Add(new Claim(ClaimTypes.Name, user.DisplayName));
claims.Add(new Claim(ClaimTypes.Role, "User"));
}
));
var claimIdentity = new ClaimsIdentity(claims);
var ticket = new AuthenticationTicket(claimIdentity, null);
//Now authed and claims are in my identity context
context.Validated(ticket);
' ' '
现在,当JWT生成时,这些声明都在令牌中。
你可以用显式的角色来修饰你的Api控制器,这样就可以在claimset中查询"roles"类型。如果用户在角色声明集中没有角色,则发出401:
' ' '
[Route]
[Authorize(Roles ="User,Admin")]
public IHttpActionResult Get()
{
return Ok<IEnumerable<Product>>(_products);
}
[Route]
[Authorize(Roles = "Admin")]
public IHttpActionResult Post(Product product)
{
_products.Add(product);
return Created(string.Empty, product);
}
' ' '
所以在上面的例子中,如果我生成一个JWT作为我"Spencer",我在用户角色中,GET将是OK(200),而POST将是Unauthorized(401)。
有意义吗?