【发布时间】:2017-12-01 18:19:09
【问题描述】:
我在 MVC 项目中使用 MVC Web API。我使用 SimpleAuthorizationServerProvider 来生成令牌。我使用 AuthorizeForAPI 自定义属性来验证令牌。一切都很好。 我的问题是如何验证令牌过期日期,所以如果令牌已过期,我将从服务器发送一条消息告诉用户您的令牌已过期
这就是我生成令牌的方式
public class SimpleAuthorizationServerProvider : OAuthAuthorizationServerProvider
{
public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
context.Validated();
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();
ApplicationUser user = await userManager.FindAsync(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim("role", "user"));
context.Validated(identity);
}
public override Task TokenEndpoint(OAuthTokenEndpointContext context)
{
foreach (KeyValuePair<string, string> property in context.Properties.Dictionary)
{
context.AdditionalResponseParameters.Add(property.Key, property.Value);
}
return Task.FromResult<object>(null);
}
}
这就是我验证令牌的方式
public class AuthorizeForAPI : AuthorizeAttribute
{
public override void OnAuthorization(HttpActionContext actionContext)
{
string AccessTokenFromRequest = "";
if (actionContext.Request.Headers.Authorization != null)
{
// get the access token
AccessTokenFromRequest = actionContext.Request.Headers.Authorization.Parameter;
var user = HttpContext.Current.User.Identity;
if (!user.IsAuthenticated)
{
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized, "Unauthorized user");
}
}
}
}
}
【问题讨论】:
-
我强烈建议您使用身份 jwt 中间件来生成和验证您的访问令牌。它将负责所有必要的检查。此外:您在哪里生成令牌?您似乎只是设置了身份。
标签: asp.net-mvc asp.net-web-api oauth-2.0 access-token