Dotnetopenauth Part 1:authorization Verification service implementation and key source code parsing

Source: Internet
Author: User
Tags oauth

Dotnetopenauth is the OAuth open Source implementation framework under the. Net environment. Based on this, OAuth authentication (Authorization) service, resource (Resource) service can be implemented conveniently. For Dotnetopenauth, the recent plan to organize three essays:

Dotnetopenauth part 1:oauth2 Authorization Verification Service implementation and key source parsing

  Dotnetopenauth Part 2:oauth2 Resource Resource Service implementation and key source parsing

Dotnetopenauth part 3:oauth2 Client access to implement several key source code parsing

This article is part 1 of this series.

The OAuth Authorization Service is responsible for issuing access tokens to users, who then use this token to request resources and logical access. The client side sends the legitimacy of the request,authorization-side authentication request with ClientId and Clientsecret, generates Access Token and is issued, which is the primary responsibility of the OAuth authentication service.

"Implementation Dimension"

The main task of developing Authorization services based on Dotnetopenauth is to implement the Iauthorizationserverhost interface, of which there are two key methods to be implemented, namely getclient and Createaccesstoken.

1 iclientdescription getclient (string clientidentifier);

The indicator sent by client side Clientidentifier Gets the details of the client on the authentication server for Clientsecret verification. The source of the clientdescription here can be authentication server-side db, or other external services that can provide that data.

1 accesstokenresult createaccesstoken (iaccesstokenrequest accesstokenrequestmessage);

Based on policy, generates Accesstoken and returns the Client to request validation.

Method implementation schematic

Getclient,

1  PublicIclientdescription Getclient (stringclientidentifier)2 {3     if(string. Equals (Clientidentifier,"Isun", stringcomparison.currentculture))4     {5         varClient =NewClient ()//Just Initiate a Client instance, and in production it comes from DB or other service.6         {7Name ="Isun",8Clientsecret ="1",9Clienttypevalue =1Ten         }; One  A         returnclient; -     } -  the     Throw NewArgumentOutOfRangeException ("Clientidentifier"); -}

Createaccesstoken,

1  Publicaccesstokenresult Createaccesstoken (iaccesstokenrequest accesstokenrequestmessage)2 {3     varAccesstoken =NewAuthorizationserveraccesstoken ();4         5Accesstoken.lifetime = Timespan.fromminutes (2);6Accesstoken.resourceserverencryptionkey = ... ...7Accesstoken.accesstokensigningkey = ... ...8 9     varresult =NewAccesstokenresult (accesstoken);Ten     returnresult; One}

Implementing the two key methods under the Iauthorizationserverhost interface, the only thing to do is to initialize the Authorizationserver class with the Authorizationserverhost instance and invoke its Handletokenrequestasync method.

1 Private ReadOnlyAuthorizationserver Authorizationserver =NewAuthorizationserver (Newisunauthorizationserverhost (authservice.configuration));2 3  Public AsyncTask<actionresult>Token ()4 {5     varResponse =awaitAuthorizationserver.handletokenrequestasync (Request);6     returnResponse. Asactionresult ();7}

"Principle Level"

The implementation level of the introduction is these, is not very simple? But just knowing that this is not enough, you are still unclear ... But feel severe. How does the Dotnetopenauth Authorization framework accomplish the validation service only with these two methods? Fortunately Dotnetopenauth is an open source project, we study the source code will be enlightened. First on the Authorization internal call (click to open the larger image).

, the call starts from Authorizationserver.handletokenrequestasync, followed by step 1-9, and finally Authorizationserverhost.createaccesstoken called. Steps 7, 8, and 9 are the key method calls throughout the Token issuance process. Step 7 Getclient Obtain the details of the request, and then step 8 Isvalidclientsecret Verify the legality of Clientsecret, and if the verification is passed then step 9 Createaccesstoken and the requested Client side. The logic is as follows (click to open the larger image).

Key steps 7, 8, 9 source fragments are as follows:

Call Getclient, and make Clientsecret Validation (DotNetOpenAuth.OAuth2.ChannelElements.ClientAuthenticationModule Tryauthenticateclientbysecret method).

1 protected Staticclientauthenticationresult Tryauthenticateclientbysecret (Iauthorizationserverhost authorizationServerHost, 2     stringClientidentifier,stringClientsecret) {3Requires.notnull (Authorizationserverhost,"Authorizationserverhost");4 5     if(!string. IsNullOrEmpty (Clientidentifier)) {6         varClient = Authorizationserverhost.getclient (clientidentifier);//Step 7:getclient returns iclientdescription7         if(Client! =NULL) {8             if(!string. IsNullOrEmpty (Clientsecret)) {9                 if(Client. Isvalidclientsecret (Clientsecret)) {//Step 8:validate ClientsecretTen                     returnclientauthenticationresult.clientauthenticated; One}Else{//Invalid client Secret A                     returnclientauthenticationresult.clientauthenticationrejected; -                 } -}
the}
-}
-}

Clientdescription.isvalidclientsecret method (Isvalidclientsecret method in DotNetOpenAuth.OAuth2.ClientDescription).

1  Public Virtual BOOL Isvalidclientsecret (string  secret) {2     "secret") ; 3 4     return  This . Secret); 5 }

Call the Createaccesstoken code fragment, and if Client validation does not pass, return Invalidrequest (line) (method in DotNetOpenAuth.OAuth2.AuthorizationServer Handletokenrequestasync).

1Accesstokenrequestbase Requestmessage =await  This. Channel.tryreadfromrequestasync<accesstokenrequestbase>(Request, cancellationtoken);2 if(Requestmessage! =NULL) {3     //Step 9:call authorizationserverhost.createaccesstoken to generate Token4     varAccesstokenresult = This.     Authorizationserverservices.createaccesstoken (Requestmessage); 5Errorutilities.verifyhost (Accesstokenresult! =NULL,"Iauthorizationserverhost.createaccesstoken must not return null.");6 7Iaccesstokenrequestinternal accessrequestinternal =Requestmessage;8Accessrequestinternal.accesstokenresult =Accesstokenresult;9 Ten     varSuccessresponsemessage = This. Prepareaccesstokenresponse (Requestmessage, accesstokenresult.allowrefreshtoken); OneSuccessresponsemessage.lifetime =AccessTokenResult.AccessToken.Lifetime; A...... -Responsemessage =Successresponsemessage; -}Else { the     //Validation failed, return error with Invalidrequest -Responsemessage =NewAccesstokenfailedresponse () {Error =Protocol.AccessTokenRequestErrorCodes.InvalidRequest}; -}

Summary

It is easy to use Dotnetopenauth framework to develop OAuth authentication service, but if you do not understand its implementation principle, the development process is not guilty, the problem can not be solved quickly. So, not only know it, know why it is still very important. (The code shown in this article for illustrative purposes, if you want to download the demo, reference 2 has detailed code, I do not post in this article.) Need Dotnetopenauth source code and Sample, can go to the official website http://www.dotnetopenauth.net/)

Resources:

1. [OAuth] implements client Credentials Grant http://www.cnblogs.com/dudu/p/based on Dotnetopenauth Oauth-dotnetopenauth-client-credentials-grant.html

2, Dotnetopenauth practice of building authentication Server http://www.cnblogs.com/idefav2010/p/DotNetOpenAuth.html

3, http://www.dotnetopenauth.net/

Dotnetopenauth Part 1:authorization Verification service implementation and key source code parsing

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.