基于Owin Oauth2构建受权服务器

---恢复内容开始---

咱们简单的描述怎么经过owin和asp.net mvc建立一个受权服务器，首先建立一个空的MVC网站名为AuthorizationServer而且安装以下包：

• Microsoft.AspNet.Mvc
• Microsoft.Owin.Host.SystemWeb
• Microsoft.Owin.Security.OAuth
• Microsoft.Owin.Security.Cookies

在项目的根目录建立一个名为Startup的类：

using Microsoft.Owin;
using Owin;

[assembly: OwinStartup(typeof(AuthorizationServer.Startup))]

namespace AuthorizationServer
{
   public partial class Startup
   {
      public void Configuration(IAppBuilder app)
      {
         ConfigureAuth(app);
      }
   }
}

建立一个App_Start文件夹，选中App_Start添加类文件Startup.Auth.cs

public void ConfigureAuth(IAppBuilder app)
 {
     // 启用登陆应用使用Cookie
     app.UseCookieAuthentication(new CookieAuthenticationOptions
     {
         AuthenticationType = "Application",
         AuthenticationMode = AuthenticationMode.Passive,
         LoginPath = new PathString(Paths.LoginPath),
         LogoutPath = new PathString(Paths.LogoutPath),
     });

     // 启用外部登陆使用Cookie
     app.SetDefaultSignInAsAuthenticationType("External");
     app.UseCookieAuthentication(new CookieAuthenticationOptions
     {
         AuthenticationType = "External",
         AuthenticationMode = AuthenticationMode.Passive,
         CookieName = CookieAuthenticationDefaults.CookiePrefix + "External",
         ExpireTimeSpan = TimeSpan.FromMinutes(5),
     });

     // 启用google身份验证
     app.UseGoogleAuthentication();

     // 配置受权服务
     app.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions
     {
         AuthorizeEndpointPath = new PathString(Paths.AuthorizePath),
         TokenEndpointPath = new PathString(Paths.TokenPath),
         ApplicationCanDisplayErrors = true,
#if DEBUG
                AllowInsecureHttp = true,
#endif
     // 受权服务提供者控制受权服务的生命周期
     Provider = new OAuthAuthorizationServerProvider
     {
         OnValidateClientRedirectUri = ValidateClientRedirectUri,
         OnValidateClientAuthentication = ValidateClientAuthentication,
         OnGrantResourceOwnerCredentials = GrantResourceOwnerCredentials,
         OnGrantClientCredentials = GrantClientCredetails
     },

     // 受权码提供者用来建立和接受受权码
     AuthorizationCodeProvider = new AuthenticationTokenProvider
     {
         OnCreate = CreateAuthenticationCode,
         OnReceive = ReceiveAuthenticationCode,
     },

     // 刷新令牌提供这用来建立和接受令牌
     RefreshTokenProvider = new AuthenticationTokenProvider
     {
         OnCreate = CreateRefreshToken,
         OnReceive = ReceiveRefreshToken,
     }
 });
}

上面的代码启用了应用/外部登录使用Cookie而且可使用谷歌身份验证，由受权服务器自己管理帐户。

 

UseCookieAuthentication扩展方法是用来配置受权服务的，配置选项是：

AuthorizeEndpointPath：客户端应用程序登陆受权的请求地址，它必须之前导斜杠开始，例如：“/Authorize”

TokenEndpointPath：客户端应用程序直接得到访问令牌的请求地址，它也一样是之前导斜杠开始，例如：“/Token”

ApplicationCanDisplayErrors：若是Web应用程序想要在/Authorize地址为客户端验证生成一个自定义的错误页那么设置为true，浏览器不重定向到客户端应用。例如当client_id或者redirect_uri是错误的，/Authorize可能但愿看到“oauth.Error”、“oauth.ErrorDescription”和“oauth.ErrorUri”属性被添加到Owin环境中。

AllowInsecureHttp：若是设置为true,表明受权和令牌地址容许不安全的Http协议。

Provider：配置受权服务中间件处理认证和受权的事件。

AuthorizationCodeProvider：产生一个一次性使用的验证码给客户端应用程序，OnCreate建立受权码，OnReceive收到受权码。

RefreshTokenProvider：产生一个刷新Token在须要的时候用来得到新的访问Token。

 

Oauth不关心在哪儿或怎么去管理你的帐号信息，它是有Asp.Net Indentity来负责的，在本教程咱们将简化帐户管理的代码只确保用户可使用Owin cookie中间件登陆，以下在AccountControl中的简单代码：

public class AccountController : Controller
{
    public ActionResult Login()
    {
        var authentication =  HttpContext.GetOwinContext().Authentication;
        if (Request.HttpMethod == "POST")
        {
            var isPersistent = !string.IsNullOrEmpty(Request.Form.Get("isPersistent"));

            if (!string.IsNullOrEmpty(Request.Form.Get("submit.Signin")))
            {
                authentication.SignIn(
                    new AuthenticationProperties { IsPersistent = isPersistent },
                    new ClaimsIdentity(new[] { new Claim(
                       ClaimsIdentity.DefaultNameClaimType, Request.Form["username"]) }, 
                       "Application"));
            }
        }

        return View();
    }

    public ActionResult Logout()
    {
        return View();
    }

    public ActionResult External()
    {
        var authentication = HttpContext.GetOwinContext().Authentication;
        if (Request.HttpMethod == "POST")
        {
            foreach (var key in Request.Form.AllKeys)
            {
                if (key.StartsWith("submit.External.") && !string.IsNullOrEmpty(Request.Form.Get(key)))
                {
                    var authType = key.Substring("submit.External.".Length);
                    authentication.Challenge(authType);
                    return new HttpUnauthorizedResult();
                }
            }
        }
        var identity = authentication.AuthenticateAsync("External").Result.Identity;
        if (identity != null)
        {
            authentication.SignOut("External");
            authentication.SignIn(
                new AuthenticationProperties { IsPersistent = true },
                new ClaimsIdentity(identity.Claims, "Application", identity.NameClaimType, identity.RoleClaimType));
            return Redirect(Request.QueryString["ReturnUrl"]);
        }

        return View();
    }
}

private Task ValidateClientRedirectUri(OAuthValidateClientRedirectUriContext context)
{
    if (context.ClientId == Clients.Client1.Id)
    {
        context.Validated(Clients.Client1.RedirectUrl);
    }
    else if (context.ClientId == Clients.Client2.Id)
    {
        context.Validated(Clients.Client2.RedirectUrl);
    }
    return Task.FromResult(0);
}

private Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
    string clientId;
    string clientSecret;
    if (context.TryGetBasicCredentials(out clientId, out clientSecret) ||
        context.TryGetFormCredentials(out clientId, out clientSecret))
    {
        if (clientId == Clients.Client1.Id && clientSecret == Clients.Client1.Secret)
        {
            context.Validated();
        }
        else if (clientId == Clients.Client2.Id && clientSecret == Clients.Client2.Secret)
        {
            context.Validated();
        }
    }
    return Task.FromResult(0);
}

private Task ValidateClientRedirectUri(OAuthValidateClientRedirectUriContext context)
{
    if (context.ClientId == Clients.Client1.Id)
    {
        context.Validated(Clients.Client1.RedirectUrl);
    }
    else if (context.ClientId == Clients.Client2.Id)
    {
        context.Validated(Clients.Client2.RedirectUrl);
    }
    return Task.FromResult(0);
}

private Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
    string clientId;
    string clientSecret;
    if (context.TryGetBasicCredentials(out clientId, out clientSecret) ||
        context.TryGetFormCredentials(out clientId, out clientSecret))
    {
        if (clientId == Clients.Client1.Id && clientSecret == Clients.Client1.Secret)
        {
            context.Validated();
        }
        else if (clientId == Clients.Client2.Id && clientSecret == Clients.Client2.Secret)
        {
            context.Validated();
        }
    }
    return Task.FromResult(0);
}

 ValidateClientRedirectUri用于验证被注册的跳转Url。ValidateClientAuthentication 验证从Basic架构的请求头或Form表单提交过来的客户端凭证。