Dotnetopenauth is the OAuth open Source implementation framework under the. Net environment. Based on this, OAuth authentication (Authorization) service, resource (Resource) service can be implemented conveniently. For Dotnetopenauth, the recent plan to organize three essays:
Dotnetopenauth part 1:oauth2 Authorization Verification Service implementation and key source parsing
Dotnetopenauth Part 2:oauth2 Resource Resource Service implementation and key source parsing
Dotnetopenauth part 3:oauth2 Client access to implement several key source code parsing
This article is part 1 of this series.
The OAuth Authorization Service is responsible for issuing access tokens to users, who then use this token to request resources and logical access. The client side sends the legitimacy of the request,authorization-side authentication request with ClientId and Clientsecret, generates Access Token and is issued, which is the primary responsibility of the OAuth authentication service.
"Implementation Dimension"
The main task of developing Authorization services based on Dotnetopenauth is to implement the Iauthorizationserverhost interface, of which there are two key methods to be implemented, namely getclient and Createaccesstoken.
1 iclientdescription getclient (string clientidentifier);
The indicator sent by client side Clientidentifier Gets the details of the client on the authentication server for Clientsecret verification. The source of the clientdescription here can be authentication server-side db, or other external services that can provide that data.
1 accesstokenresult createaccesstoken (iaccesstokenrequest accesstokenrequestmessage);
Based on policy, generates Accesstoken and returns the Client to request validation.
Method implementation schematic
Getclient,
1 PublicIclientdescription Getclient (stringclientidentifier)2 {3 if(string. Equals (Clientidentifier,"Isun", stringcomparison.currentculture))4 {5 varClient =NewClient ()//Just Initiate a Client instance, and in production it comes from DB or other service.6 {7Name ="Isun",8Clientsecret ="1",9Clienttypevalue =1Ten }; One A returnclient; - } - the Throw NewArgumentOutOfRangeException ("Clientidentifier"); -}
Createaccesstoken,
1 Publicaccesstokenresult Createaccesstoken (iaccesstokenrequest accesstokenrequestmessage)2 {3 varAccesstoken =NewAuthorizationserveraccesstoken ();4 5Accesstoken.lifetime = Timespan.fromminutes (2);6Accesstoken.resourceserverencryptionkey = ... ...7Accesstoken.accesstokensigningkey = ... ...8 9 varresult =NewAccesstokenresult (accesstoken);Ten returnresult; One}
Implementing the two key methods under the Iauthorizationserverhost interface, the only thing to do is to initialize the Authorizationserver class with the Authorizationserverhost instance and invoke its Handletokenrequestasync method.
1 Private ReadOnlyAuthorizationserver Authorizationserver =NewAuthorizationserver (Newisunauthorizationserverhost (authservice.configuration));2 3 Public AsyncTask<actionresult>Token ()4 {5 varResponse =awaitAuthorizationserver.handletokenrequestasync (Request);6 returnResponse. Asactionresult ();7}
"Principle Level"
The implementation level of the introduction is these, is not very simple? But just knowing that this is not enough, you are still unclear ... But feel severe. How does the Dotnetopenauth Authorization framework accomplish the validation service only with these two methods? Fortunately Dotnetopenauth is an open source project, we study the source code will be enlightened. First on the Authorization internal call (click to open the larger image).
, the call starts from Authorizationserver.handletokenrequestasync, followed by step 1-9, and finally Authorizationserverhost.createaccesstoken called. Steps 7, 8, and 9 are the key method calls throughout the Token issuance process. Step 7 Getclient Obtain the details of the request, and then step 8 Isvalidclientsecret Verify the legality of Clientsecret, and if the verification is passed then step 9 Createaccesstoken and the requested Client side. The logic is as follows (click to open the larger image).
Key steps 7, 8, 9 source fragments are as follows:
Call Getclient, and make Clientsecret Validation (DotNetOpenAuth.OAuth2.ChannelElements.ClientAuthenticationModule Tryauthenticateclientbysecret method).
1 protected Staticclientauthenticationresult Tryauthenticateclientbysecret (Iauthorizationserverhost authorizationServerHost, 2 stringClientidentifier,stringClientsecret) {3Requires.notnull (Authorizationserverhost,"Authorizationserverhost");4 5 if(!string. IsNullOrEmpty (Clientidentifier)) {6 varClient = Authorizationserverhost.getclient (clientidentifier);//Step 7:getclient returns iclientdescription7 if(Client! =NULL) {8 if(!string. IsNullOrEmpty (Clientsecret)) {9 if(Client. Isvalidclientsecret (Clientsecret)) {//Step 8:validate ClientsecretTen returnclientauthenticationresult.clientauthenticated; One}Else{//Invalid client Secret A returnclientauthenticationresult.clientauthenticationrejected; - } -}
the}
-}
-}
Clientdescription.isvalidclientsecret method (Isvalidclientsecret method in DotNetOpenAuth.OAuth2.ClientDescription).
1 Public Virtual BOOL Isvalidclientsecret (string secret) {2 "secret") ; 3 4 return This . Secret); 5 }
Call the Createaccesstoken code fragment, and if Client validation does not pass, return Invalidrequest (line) (method in DotNetOpenAuth.OAuth2.AuthorizationServer Handletokenrequestasync).
1Accesstokenrequestbase Requestmessage =await This. Channel.tryreadfromrequestasync<accesstokenrequestbase>(Request, cancellationtoken);2 if(Requestmessage! =NULL) {3 //Step 9:call authorizationserverhost.createaccesstoken to generate Token4 varAccesstokenresult = This. Authorizationserverservices.createaccesstoken (Requestmessage); 5Errorutilities.verifyhost (Accesstokenresult! =NULL,"Iauthorizationserverhost.createaccesstoken must not return null.");6 7Iaccesstokenrequestinternal accessrequestinternal =Requestmessage;8Accessrequestinternal.accesstokenresult =Accesstokenresult;9 Ten varSuccessresponsemessage = This. Prepareaccesstokenresponse (Requestmessage, accesstokenresult.allowrefreshtoken); OneSuccessresponsemessage.lifetime =AccessTokenResult.AccessToken.Lifetime; A...... -Responsemessage =Successresponsemessage; -}Else { the //Validation failed, return error with Invalidrequest -Responsemessage =NewAccesstokenfailedresponse () {Error =Protocol.AccessTokenRequestErrorCodes.InvalidRequest}; -}
Summary
It is easy to use Dotnetopenauth framework to develop OAuth authentication service, but if you do not understand its implementation principle, the development process is not guilty, the problem can not be solved quickly. So, not only know it, know why it is still very important. (The code shown in this article for illustrative purposes, if you want to download the demo, reference 2 has detailed code, I do not post in this article.) Need Dotnetopenauth source code and Sample, can go to the official website http://www.dotnetopenauth.net/)
Resources:
1. [OAuth] implements client Credentials Grant http://www.cnblogs.com/dudu/p/based on Dotnetopenauth Oauth-dotnetopenauth-client-credentials-grant.html
2, Dotnetopenauth practice of building authentication Server http://www.cnblogs.com/idefav2010/p/DotNetOpenAuth.html
3, http://www.dotnetopenauth.net/
Dotnetopenauth Part 1:authorization Verification service implementation and key source code parsing