1. 首頁
  2. 問答
  3. 通過驗證外部令牌(Facebook,Twitter等)來生成基於本地用戶的訪問令牌

通過驗證外部令牌(Facebook,Twitter等)來生成基於本地用戶的訪問令牌

2015-12-08 92 views
0

爲了支持原生應用的功能,我建立了原生移動應用程序和多個Web API,Im對我的Web API的所有請求進行了驗證,所以我使用IdentityServer3與ASP.Net身份通過驗證外部令牌(Facebook,Twitter等)來生成基於本地用戶的訪問令牌

我想爲我的本地應用程序(Twitter和Digits)使用社交登錄提供程序,並且我希望本機應用程序負責使用Twitter進行身份驗證,一旦從外部訪問令牌Twitter將提供給本地應用程序。現在,我想在我的Identity Server 3設置中提供端點以支持驗證外部訪問令牌並根據用戶生成本地訪問令牌?

什麼是最好的方式來實現這與asp.net身份和身份服務器3?

這篇博客的筆者,似乎是在解釋正是我米試圖實現的,但是,他沒有使用identityserver3 http://bitoftech.net/2014/08/11/asp-net-web-api-2-external-logins-social-logins-facebook-google-angularjs-app/

來源

2015-12-08 user5656173

+0

你有什麼試過的?你的代碼在哪裏?有一個*特定的*編程問題,我們可以幫助你? –

+0

我使用[IdentityServer3](https://github.com/identityserver/IdentityServer3.AspNetIdentity)來滿足所有認證和授權需求。當我使用ResourceOwnerPasswordCredential Flow生成令牌時,我肯定會獲得本地訪問令牌。但我想在本地應用程序上處理外部登錄(通過twitter或其他登錄),沒有涉及密碼,並且當我從Twitter接收到外部訪問令牌時,我需要能夠將其發送到Identity Server 3 ,註冊用戶,如果尚未在系統中,並創建一個本地訪問令牌,希望有助於謝謝 – user5656173

回答

0

下面是一些代碼,使用IdentityServer3權利要求的基礎登陸(的OAuth2) 到你可以找到外部登錄和OpenID登錄的網站identityServer

服務器:

範圍:

   new Scope 
      { 
       Name ="morhipo", 
        Type = ScopeType.Resource, 
        Claims = new List<ScopeClaim> 
       { 
        new ScopeClaim(Constants.ClaimTypes.Name), 
        new ScopeClaim(Constants.ClaimTypes.Email), 
        new ScopeClaim(Constants.ClaimTypes.FamilyName), 
        new ScopeClaim(Constants.ClaimTypes.GivenName), 
        new ScopeClaim(Constants.ClaimTypes.Gender), 
        new ScopeClaim(Constants.ClaimTypes.Id), 
        new ScopeClaim(Constants.ClaimTypes.PhoneNumber), 
        new ScopeClaim(Constants.ClaimTypes.Subject), 
        new ScopeClaim(Constants.ClaimTypes.AccessTokenHash), 
        new ScopeClaim(Constants.ClaimTypes.Role) 
       } 
      }

用戶:

 new InMemoryUser{ Subject = "bob", Username = "bob", Password = "bob", 
      Claims = new Claim[] 
      { 
       new Claim(Constants.ClaimTypes.GivenName, "Bob"), 
       new Claim(Constants.ClaimTypes.Role, "Admin"), 
       new Claim(Constants.ClaimTypes.Role, "User"), 
       new Claim(Constants.ClaimTypes.FamilyName, "Smith"), 
       new Claim(Constants.ClaimTypes.Email, "[email protected]"), 
       new Claim(Constants.ClaimTypes.Name, "Bob Smith"), 
      } 
     },

客戶:

 new Client 
     { 
      ClientName = "Silicon on behalf of Carbon Client", 
      ClientId = "carbon", 
      Enabled = true, 
      AccessTokenType = AccessTokenType.Jwt, 

      Flow = Flows.ResourceOwner, 

      ClientSecrets = new List<Secret> 
      { 
       new Secret("21B5F798-BE55-42BC-8AA8-0025B903DC3B".Sha256()) 
      }, 


      AllowedScopes = new List<string> 
      { 
       Constants.StandardScopes.OpenId, 
       Constants.StandardScopes.Profile, 
       Constants.StandardScopes.Email, 
       Constants.StandardScopes.Roles, 
       Constants.StandardScopes.OfflineAccess, 
       "read", 
       "write", 
       "api1", 
       "morhipo" 
      }, 



     }

MVC客戶:

啓動:

public void ConfigureAuth(IAppBuilder app) 
{ 
    AntiForgeryConfig.UniqueClaimTypeIdentifier = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"; 
    app.UseCookieAuthentication(new CookieAuthenticationOptions 
    { 
     LoginPath = new PathString("/account/login"), 
     AuthenticationType = "Cookies" 
    }); 
}

的AccountController:

[HttpPost] 
[AllowAnonymous] 
[ValidateAntiForgeryToken] 
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl) 
{ 
    if (!ModelState.IsValid) 
    { 
     return View(model); 
    } 

    TokenResponse token = await GetToken(model.Email, model.Password); 

    await SignInAsync(token); 

    return View(model); 
} 

private async Task<TokenResponse> GetToken(string user, string password) 
{ 
    var client = new TokenClient(
     "https://localhost:44333/core/connect/token", 
     "carbon", 
     "21B5F798-BE55-42BC-8AA8-0025B903DC3B"); 

    var result = await client.RequestResourceOwnerPasswordAsync(user, password, "morhipo api1 offline_access"); 
    return result; 

} 
public async Task SignInAsync(TokenResponse token) 
{ 
    var claims = await ValidateIdentityTokenAsync(token); 

    var id = new ClaimsIdentity(claims, "Cookies"); 
    id.AddClaim(new Claim("access_token", token.AccessToken)); 
    id.AddClaim(new Claim("expires_at", DateTime.Now.AddSeconds(token.ExpiresIn).ToLocalTime().ToString())); 
    id.AddClaim(new Claim("refresh_token", token.RefreshToken)); 
    Request.GetOwinContext().Authentication.SignIn(id); 
} 

private async Task<IEnumerable<Claim>> ValidateIdentityTokenAsync(TokenResponse token) 
{ 
    return await Task.Run<IEnumerable<Claim>>(() => 
    { 
     JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler(); 

     var certString = "MIIDBTCCAfGgAwIBAgIQNQb+T2ncIrNA6cKvUA1GWTAJBgUrDgMCHQUAMBIxEDAOBgNVBAMTB0RldlJvb3QwHhcNMTAwMTIwMjIwMDAwWhcNMjAwMTIwMjIwMDAwWjAVMRMwEQYDVQQDEwppZHNydjN0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqnTksBdxOiOlsmRNd+mMS2M3o1IDpK4uAr0T4/YqO3zYHAGAWTwsq4ms+NWynqY5HaB4EThNxuq2GWC5JKpO1YirOrwS97B5x9LJyHXPsdJcSikEI9BxOkl6WLQ0UzPxHdYTLpR4/O+0ILAlXw8NU4+jB4AP8Sn9YGYJ5w0fLw5YmWioXeWvocz1wHrZdJPxS8XnqHXwMUozVzQj+x6daOv5FmrHU1r9/bbp0a1GLv4BbTtSh4kMyz1hXylho0EvPg5p9YIKStbNAW9eNWvv5R8HN7PPei21AsUqxekK0oW9jnEdHewckToX7x5zULWKwwZIksll0XnVczVgy7fCFwIDAQABo1wwWjATBgNVHSUEDDAKBggrBgEFBQcDATBDBgNVHQEEPDA6gBDSFgDaV+Q2d2191r6A38tBoRQwEjEQMA4GA1UEAxMHRGV2Um9vdIIQLFk7exPNg41NRNaeNu0I9jAJBgUrDgMCHQUAA4IBAQBUnMSZxY5xosMEW6Mz4WEAjNoNv2QvqNmk23RMZGMgr516ROeWS5D3RlTNyU8FkstNCC4maDM3E0Bi4bbzW3AwrpbluqtcyMN3Pivqdxx+zKWKiORJqqLIvN8CT1fVPxxXb/e9GOdaR8eXSmB0PgNUhM4IjgNkwBbvWC9F/lzvwjlQgciR7d4GfXPYsE1vf8tmdQaY8/PtdAkExmbrb9MihdggSoGXlELrPA91Yce+fiRcKY3rQlNWVd4DOoJ/cPXsXwry8pWjNCo5JD8Q+RQ5yZEy7YPoifwemLhTdsBz3hlZr28oCGJ3kbnpW0xGvQb3VHSTVVbeei0CfXoW6iz1"; 
     var cert = new X509Certificate2(Convert.FromBase64String(certString)); 
     TokenValidationParameters validationParameters = new TokenValidationParameters 
     { 
      ValidAudience = "https://localhost:44333/core/resources", 
      ValidIssuer = "https://localhost:44333/core", 
      NameClaimType ="name", 

      IssuerSigningTokens = new X509CertificateSecurityTokenProvider(
        "https://localhost:44333/core", 
        cert).SecurityTokens 
     }; 

     SecurityToken t; 
     ClaimsPrincipal id = tokenHandler.ValidateToken(token.AccessToken, validationParameters, out t); 
     var claimList =id.Claims.ToList(); 
     claimList.Add(new Claim(ClaimTypes.Name, id.Identity.Name)); 
     return claimList.AsEnumerable(); 
    }); 

} 

[HttpPost] 
[ValidateAntiForgeryToken] 
public ActionResult LogOff() 
{ 
    Request 
    .GetOwinContext() 
    .Authentication 
    .SignOut("Cookies"); 
    return RedirectToAction("Index", "Home"); 
}

來源

2015-12-10 15:51:39 Farshid

0

您需要使Identity Server知道社交登錄提供程序。您可以通過在IdentityServerOptions的AuthenticationOptions上將它們註冊爲IdentityProviders來完成此操作。

例如添加Facebook身份驗證;

Install-Package Microsoft.Owin.Security.Facebook -Version 2.1.0 

public static void Configuration(IAppBuilder appBuilder) 
{ 
    appBuilder.Map("/core", builder => 
     { 
      builder 
       .UseIdentityServer(new IdentityServerOptions 
       { 
        AuthenticationOptions = new AuthenticationOptions 
        { 
         IdentityProviders = (app, signInAsType) => 
          app.UseFaceBookAuthentication(
           new FacebookAuthenticationOptions 
           { 
            AuthenticationType = "Facebook", 
            Caption = "Facebook", 
            SignInAsAuthenticationType = signInAsType, 
            AppId = "...", 
            AppSecret = "..." 
           } 
        } 
       })); 
     } 
}

設置的提供商向signInAsType的SignInAsAuthenticationType屬性是關鍵部分,因爲這在建立PRINICIPAL的簽署和身份服務器之間的聯繫。

還有更多關於此的信息;

https://identityserver.github.io/Documentation/docsv2/configuration/identityProviders.html

來源

2015-12-11 14:05:56

相關問題

 相關問題