asp.net-mvc-3 - 如何在 OAuth 资源服务器中验证访问 token

Question

我有 3 个应用程序；生成token的OAuth 2.0认证服务器，请求token的OAuth客户端，提供Restful API的OAuth资源服务器。这些都是 MVC 3 Web 应用程序。我的问题是如何验证从客户端到达 OAuth 资源服务器的访问 token ？例如，OAuth 客户端收到来自 OAuth 服务器的带有访问 token 的响应。然后客户端将此 token 添加到 header 中，然后向 OAuth 资源服务器发出请求以调用 API 函数之一。尽管我可以在 headers[Authentication] 中看到访问 token ，但我找不到验证此 token 的方法。因为我使用 MVC3 通过 Area 设计 Restful API，所以我无法使用下面与 SOAP Web 服务一起使用的函数。

private static IPrincipal VerifyOAuth2(HttpRequestMessageProperty httpDetails, Uri requestUri, params string[] requiredScopes) {
        // for this sample where the auth server and resource server are the same site,
        // we use the same public/private key.
        using (var signing = PixidoRest.MvcApplication.CreateAuthorizationServerSigningServiceProvider())
        {
            using (var encrypting = PixidoRest.MvcApplication.CreateResourceServerEncryptionServiceProvider())
            {
                var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(signing, encrypting));
                return resourceServer.GetPrincipal(httpDetails, requestUri, requiredScopes);
            }
        }
    }

因为我无法路径“HttpRequestMessageProperty”，所以我被困在那里验证从客户端收到的 AccesToken。如何在 MVC 3 Restful API 应用程序上验证这一点作为 OAuth 客户端的资源服务器？

这是我的其他代码:

internal static RSACryptoServiceProvider CreateResourceServerEncryptionServiceProvider()
    {
        var resourceServerEncryptionServiceProvider = new RSACryptoServiceProvider();
        resourceServerEncryptionServiceProvider.ImportParameters(ResourceServerEncryptionPrivateKey);
        return resourceServerEncryptionServiceProvider;
    }

    /// <summary>
    /// Creates the crypto service provider for the authorization server that contains the public key used to verify an access token signature.
    /// </summary>
    /// <returns>An RSA crypto service provider.</returns>
    internal static RSACryptoServiceProvider CreateAuthorizationServerSigningServiceProvider()
    {
        var authorizationServerSigningServiceProvider = new RSACryptoServiceProvider();
        authorizationServerSigningServiceProvider.ImportParameters(AuthorizationServerSigningPublicKey);
        return authorizationServerSigningServiceProvider;
    }

public class RequireAuthorization : ActionFilterAttribute
{
    public string Scope { get; set; }

    public override void OnActionExecuting(ActionExecutingContext actionContext)
    {
        string[] scope = null;
        if (!string.IsNullOrEmpty(Scope))
        {
            scope = Scope.Split(new[] { "," }, StringSplitOptions.RemoveEmptyEntries);
        }

        var query = actionContext.RequestContext.HttpContext.Request;
        var req = actionContext.HttpContext;
        var authvalue = query.Headers["Authorization"];
        OAuthAuthorizationManager.VerifyOAuth2(query, query.Url.AbsoluteUri);
        //var response = new HttpResponseMessageProperty()
        //{
           //here is my question.
        //};


        base.OnActionExecuting(actionContext);

        //redirect page to
        //if (CheckUrCondition)
        //{
        //actionContext.Result = new RedirectToRouteResult(new RouteValueDictionary(new
        //{
        //    controller = "Home",
        //    action = "Index"
        //}));
        ////}
    }

提前致谢。

Answer 1

我遇到了同样的问题，并提出了以下适合我的自定义授权属性。请注意，我的示例依赖于通过依赖项注入(inject)注入(inject)的 ResourceServer 属性。当然，您也可以让它指向静态实例。

using System;
using System.Threading;
using System.Web;
using System.Web.Mvc;

using DotNetOpenAuth.Messaging;
using DotNetOpenAuth.OAuth2;

/// <summary>
/// Allows authorization to be applied to ASP.NET MVC methods where OAuth is used as the authorization mechanism.
/// </summary>
public class OAuthAuthorizeAttribute : AuthorizeAttribute
{
    /// <summary>
    /// Gets or sets the resource server that will be used to process the access token
    /// that will be used to authorized.
    /// </summary>
    /// <value>
    /// The resource server.
    /// </value>
    /// <remarks>
    /// This property will most likely be set using dependency-injection.
    /// </remarks>
    public ResourceServer ResourceServer { get; set; }

    /// <summary>
    /// Gets or sets the scopes.
    /// </summary>
    /// <value>
    /// The required scopes.
    /// </value>
    /// <remarks>
    /// Multiple scopes can be used by separating them with spaces.
    /// </remarks>
    public string Scopes { get; set; }

    /// <summary>
    /// When overridden, provides an entry point for custom authorization checks.
    /// </summary>
    /// <param name="httpContext">The HTTP context, which encapsulates all HTTP-specific information about an individual HTTP request.</param>
    /// <returns>
    /// true if the user is authorized; otherwise, false.
    /// </returns>
    /// <exception cref="System.InvalidOperationException">Thrown when the <see cref="ResourceServer"/> property is <c>null</c>.</exception>
    /// <exception cref="System.InvalidOperationException">Thrown when the <see cref="Scopes"/> property is <c>null</c>.</exception>
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (this.ResourceServer == null)
        {
            throw new InvalidOperationException("The ResourceServer property must not be null.");
        }

        try
        {
            this.StorePrincipalFromAccessToken(httpContext);

            return this.AccessTokenIsAuthorizedForRequestedScopes();
        }
        catch (ProtocolException)
        {
            return false;
        }
    }

    /// <summary>
    /// Processes HTTP requests that fail authorization.
    /// </summary>
    /// <param name="filterContext">Encapsulates the information for using <see cref="T:System.Web.Mvc.AuthorizeAttribute" />. The <paramref name="filterContext" /> object contains the controller, HTTP context, request context, action result, and route data.</param>
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        filterContext.Result = new HttpUnauthorizedResult();
    }

    /// <summary>
    /// Stores the principal contained in the current access token.
    /// </summary>
    /// <param name="httpContext">The HTTP context.</param>
    protected virtual void StorePrincipalFromAccessToken(HttpContextBase httpContext)
    {
        httpContext.User = this.ResourceServer.GetPrincipal();
        Thread.CurrentPrincipal = httpContext.User;
    }

    /// <summary>
    /// Check if the access token provided is authorized for the requested scopes.
    /// </summary>
    /// <returns></returns>
    protected virtual bool AccessTokenIsAuthorizedForRequestedScopes()
    {
        return OAuthUtilities.SplitScopes(this.Scopes ?? string.Empty).IsSubsetOf(this.ResourceServer.GetAccessToken().Scope);
    }
}

您现在可以按如下方式使用此属性:

using System.Web.Mvc;

public class DemoController : Controller
{
    [OAuthAuthorize(Scopes = "public")]
    public ActionResult Index()
    {
        return this.View();
    }
}