使用Owin + Oauth2 + Identity2。Web API2身份2承载令牌许可更改
我有一个网络Api与默认的基本身份验证设置,我已经修改。
我startup.cs部分类
public void ConfigureAuth(IAppBuilder app)
{
// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a third party login provider
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);//TODO: prob wont need this
// Configure the application for OAuth based flow
PublicClientId = "self";
OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),
Provider = new ApplicationOAuthProvider(PublicClientId),
AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),//TODO: prob wont need this
AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
// In production mode set AllowInsecureHttp = false
AllowInsecureHttp = true //TODO: set debug mode
};
// Token Generation
app.UseOAuthBearerTokens(OAuthOptions);
}
我startup.cs类偏在根
public void Configuration(IAppBuilder app)
{
HttpConfiguration config = new HttpConfiguration();
ConfigureAuth(app);
WebApiConfig.Register(config);
app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
app.UseWebApi(config);
}
我applicationOAuthProvider.cs
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
//get user
var service = new CarrierApi.CarrierManagementClient();
var result = service.LoginAsync(context.UserName, context.Password);
var user = result.Result.Identity;
//TODO: log stuff here? i.e lastlogged etc?
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
ClaimsIdentity oAuthIdentity = user;
ClaimsIdentity cookiesIdentity = user;
AuthenticationProperties properties = CreateProperties(user.GetUserName());
AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties);
context.Validated(ticket);
context.Request.Context.Authentication.SignIn(cookiesIdentity);
}
正如你可以看到我通过对现有数据库的wcf调用来获取身份。当使用邮递员时,我得到/令牌url并获得我的不记名令牌,在下一个请求中,我将它传递给头并调用我的控制器方法。
[Authorize(Roles = "Templates_Access")]
public string Post([FromBody]string value)
{
return "woo";
}
这很好,如果用户有权限,它不会允许访问,如果他们这样做。
但是,如果我去我们的网站,使用相同的wcf和数据库,并更改用户权限,如果我发送邮递员相同的请求它仍然允许访问,即使我也删除了该用户分配的角色的权限。
我如何确保在每次请求时“刷新”或再次检查权限?
您想调出您的WCF服务以获取每个请求吗? – DavidG
以及我需要检查权限,这是在数据库上设置的,WCF是唯一的访问我们的数据库。基本上我需要一种方式来检查权限没有改变,如果他们已然后更新会话或任何其他事情,以便授权工作 – lemunk