从承载令牌生成身份

这是一个相当老的问题，但我认为答案仍然缺失。我可以使用以下行

重新生成Principal

var ticket = Startup.OAuthOptions.AccessTokenFormat.Unprotect(accessToken);
var identity = ticket.Identity;

首先需要基于令牌创建一些声明，然后创建ClaimsIdentity并使用它来授权用户。

public ActionResoult Login(string token)
{
    if(_tokenManager.IsValid(token))         
    {
        // optionally you have own user manager which returns roles and user name from token
        // no matter how you store users and roles
        var user=_myUserManager.GetUserRoles(token);
        // user is valid, going to authenticate user for my App
        var ident = new ClaimsIdentity(
            new[] 
            {  
                // adding following 2 claim just for supporting default antiforgery provider
                new Claim(ClaimTypes.NameIdentifier, token),
                new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "ASP.NET Identity", "http://www.w3.org/2001/XMLSchema#string"),
                // an optional claim you could omit this 
                new Claim(ClaimTypes.Name, user.Username),
                // populate assigned user's role form your DB 
                // and add each one as a claim  
                new Claim(ClaimTypes.Role, user.Roles[0]),
                new Claim(ClaimTypes.Role, user.Roles[1]),
                // and so on
            },
            DefaultAuthenticationTypes.ApplicationCookie);
        // Identity is sign in user based on claim don't matter 
        // how you generated it             
        HttpContext.GetOwinContext().Authentication.SignIn(
            new AuthenticationProperties { IsPersistent = false }, ident);
        // auth is succeed, just from a token
        return RedirectToAction("MyAction"); 
    }
    // invalid user        
    ModelState.AddModelError("", "We could not authorize you :(");
    return View();
}

现在你也可以使用Authorize过滤器:

[Authorize]
public ActionResult Foo()
{
}
// since we injected user roles to Identity we could do this as well
[Authorize(Roles="admin")]
public ActionResult Foo()
{
    // since we injected our authentication mechanism to Identity pipeline 
    // we have access current user principal by calling also
    // HttpContext.User
}

我也鼓励你从我的github repo看看基于令牌的身份验证样本作为一个非常简单的工作示例。

令牌仅保存声明，并且仅用于对资源进行身份验证。如果其中一个声明包含用户信息，您可以创建一个标识并将声明分配给它。

public void ValidateBearerToken(OwinContext context)
{
    try
    {
       var tokenHandler = new JwtSecurityTokenHandler();
       byte[] securityKey = GetBytes("some key"); //this should come from a config file
       SecurityToken securityToken;
       var validationParameters = new TokenValidationParameters()
       {
          ValidAudience = "http://localhost:2000", 
          IssuerSigningToken = new BinarySecretSecurityToken(securityKey),
          ValidIssuer = "Self"
       };
       var auth = context.Request.Headers["Authorization"];
       if (!string.IsNullOrWhiteSpace(auth) && auth.Contains("Bearer"))
       {
          var token = auth.Split(' ')[1];
          var principal = tokenHandler.ValidateToken(token, validationParameters, out securityToken);
          context.Request.User = principal;
       }
   }
   catch (Exception ex)
   {
       var message = ex.Message;
   }
}