Security authentication in the ASP. NET MVC 4 Web API-Using OAuth
OAuth authentication for various languages: http://oauth.net/code/
The previous article describes how to use basic HTTP authentication to implement cross-platform security authentication for ASP. Here's a description of how to use OAuth to implement authentication. OAuth people may not be unfamiliar. So it's important to note that we're using a better open source OAuth library for the. NET platform. Dotnetopenauth.
As shown, we need a isssue server to give us a token, and then go to the resource server to request resources, that is, Web API server.
First, on the Oauthissuer server we need to implement a Dotnetopenauth interface: Iauthorizationserver
Implementation of the interface:
public class OAuth2Issuer : IAuthorizationServer
{
private readonly IssuerConfiguration _configuration;
public OAuth2Issuer(IssuerConfiguration configuration)
{
if (configuration == null) throw new ArgumentNullException("configuration");
_configuration = configuration;
}
public RSACryptoServiceProvider AccessTokenSigningKey
{
get
{
return (RSACryptoServiceProvider)_configuration.SigningCertificate.PrivateKey;
}
}
public DotNetOpenAuth.Messaging.Bindings.ICryptoKeyStore CryptoKeyStore
{
get { throw new NotImplementedException(); }
}
public TimeSpan GetAccessTokenLifetime(DotNetOpenAuth.OAuth2.Messages.IAccessTokenRequest accessTokenRequestMessage)
{
return _configuration.TokenLifetime;
}
public IClientDescription GetClient(string clientIdentifier)
{
const string secretPassword = "test1243";
return new ClientDescription(secretPassword, new Uri("http://localhost/"), ClientType.Confidential);
}
public RSACryptoServiceProvider GetResourceServerEncryptionKey(DotNetOpenAuth.OAuth2.Messages.IAccessTokenRequest accessTokenRequestMessage)
{
return (RSACryptoServiceProvider)_configuration.EncryptionCertificate.PublicKey.Key;
}
public bool IsAuthorizationValid(DotNetOpenAuth.OAuth2.ChannelElements.IAuthorizationDescription authorization)
{
//claims added to the token
authorization.Scope.Add("adminstrator");
authorization.Scope.Add("poweruser");
return true;
}
public bool IsResourceOwnerCredentialValid(string userName, string password)
{
return true;
}
public DotNetOpenAuth.Messaging.Bindings.INonceStore VerificationCodeNonceStore
{
get
{
throw new NotImplementedException();
}
}
}
On the Web API server side, we need to use HTTP message handler to obtain HttpRequest information and to have authorization authentication.
Here ResourceServerConfiguration we use encrypted certificates.
public class OAuth2Handler : DelegatingHandler
{
private readonly ResourceServerConfiguration _configuration;
public OAuth2Handler(ResourceServerConfiguration configuration)
{
if (configuration == null) throw new ArgumentNullException("configuration");
_configuration = configuration;
}
protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
HttpContextBase httpContext;
string userName;
HashSet<string> scope;
if (!request.TryGetHttpContext(out httpContext))
throw new InvalidOperationException("HttpContext must not be null.");
var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(
(RSACryptoServiceProvider)_configuration.IssuerSigningCertificate.PublicKey.Key,
(RSACryptoServiceProvider)_configuration.EncryptionVerificationCertificate.PrivateKey));
var error = resourceServer.VerifyAccess(httpContext.Request, out userName, out scope);
if (error != null)
return Task<HttpResponseMessage>.Factory.StartNew(error.ToHttpResponseMessage);
var identity = new ClaimsIdentity(scope.Select(s => new Claim(s, s)));
if (!string.IsNullOrEmpty(userName))
identity.Claims.Add(new Claim(ClaimTypes.Name, userName));
httpContext.User = ClaimsPrincipal.CreateFromIdentity(identity);
Thread.CurrentPrincipal = httpContext.User;
return base.SendAsync(request, cancellationToken);
}
}
Client calling code:
Before calling the API to obtain data, you need to obtain a Token from the IssueServer.
GetAccessToken:
Take a look at the token information:
{ "Access_token": "gAAAAIoUBVBrZ5jAxe5XeTgnJ8mGwwKsCReknueg4gLGlDQ77lR1yPfxt0yNfWLCBT7hxnHjRjuEwDTJ3J1YAnqML4MIgQg8A2cz2bs0EnxvCMfKnayKEesRM-lxLTFbWMpSxe2Xvjm61IbaXjrMkYDRMnV4Do8-7132tiOLIv02WOGlJAEAAIAAAACJ8F3SsE6cTI1XsioW_xOxHeESDzG16y01Gxm3HikYFUC3XIdekpPw0yMB4tavPmUj-kRyC1halbUX7JKf-Dihm6Ou5mexe9lcYTr9or_kH7WcDN5ZCryUK3OaecvwwjQVr5o9XD2ZyZSNDCNhVRFc5ypvP85zZCBW1KJkP3OTCV4AkMN-ROvgI8jxutYdsLLN-YbB7Ot5iypzWWbW0QxiwOzMEqG9nVtPwnIWOUMOvW5KbiELELhgjap60mwHzGrHG4TtA4jrNy8S9zjixO_q-FrgpAuC06CkSH-R4w9yPCLLDc9m3UoAnknFjd4PUbWLxCvlBpEK2sg03ENa0EOKzc2O5fEic9P-BiYt6afMwTgLkJlGBBjmCBpGZMkfLTw", "token_type": "bearer", "expires_in": "300", "scope": "http: \ / \ / localhost \ / adminstrator poweruser "}
Client call:
Code:
http://pan.baidu.com/s/1ntkMbCt
Security Authentication in Asp.Net MVC 4 Web API-Using OAuth