ASP. NET Web API with Owin OAuth: Calling protected APIs using Access Toke
In the previous blog post, we used the OAuth client credential grant authorization method on the server side via Cnblogsauthorizationserverprovider (Authorization An implementation of the server successfully issued the access token and successfully received the access token on the client.
What's the use of Access tokens? Authentication of Access to resource Server (such as Web API) in OAuth is based on access Token. No matter what kind of client to call, Resource server is always untouchables, just recognize access Token.
access token validation with OAuth enabled in the ASP. NET Web API is simple, just add the [authorize] tag to the appropriate controller or action, such as:
[Authorize]public class valuescontroller:apicontroller{ //GET api/values public ienumerable<string> Get () { return new string[] {"value1", "value2"};} }
After adding [authorize], if you do not use Access Token, the following error occurs when you invoke the API:
{"Message": "Authorization have been denied for this request."}
At this point you may ask, why does the addition of [authorize] have this effect? How did the original forms verification not work?
The reason is that when you create the ASP. NET Web API project with Visual Studio, VS automatically adds the appropriate code to you, opens the WebApiConfig.cs, and you see the following 2 lines of code:
Config. Suppressdefaulthostauthentication (); config. Filters.add (New Hostauthenticationfilter (Oauthdefaults.authenticationtype));
This is the 2 lines of code that changed the role of [authorize].
Enabling OAuth validation in the ASP. is simple (behind the scenes, Microsoft implements the Owin-based OAuth, which implements the source code in the Katana project).
How does the client use access token to invoke the Web API?
Also very simple, as long as the HTTP request header to add Bearer:token, the client calls the sample code as follows:
public class Oauthclienttest {private HttpClient _httpclient; Public Oauthclienttest () {_httpclient = new httpClient (); _httpclient.baseaddress = new Uri ("http://openapi.cnblogs.com"); } [Fact] public Async TaskCall_webapi_by_access_token (){var token = await getaccesstoken (); _httpclient.defaultrequestheaders.authorization = new Authenticationheadervalue ("Bearer", token); Console.WriteLine (Await _httpclient.getasync ("/api/values")). Content.readasstringasync ()); } Private Async Task<string> Getaccesstoken () {var parameters = new Dictionary<string, String> (); Parameters. ADD ("client_id", "1234"); Parameters. ADD ("Client_secret", "5678"); Parameters. ADD ("Grant_type", "client_credentials"); var response = await _httpclient.postasync ("/token", new Formurlencodedcontent (parameters)); var responsevalue = await response. Content.readasstringasync (); Return Jobject.parse (Responsevalue) ["Access_token"]. Value<string> (); } }
The results of the operation are as follows:
["Value1", "value2"]
Get!
The integration of the ASP. NET Web API and OAuth based on the Owin implementation makes the original complex problem simple.
Tags: OAuth, WebAPI
Access Toke calls the protected API