OWIN令牌認證400從瀏覽器

Question

OPTIONS我使用令牌認證基於本文的小項目請求無效：http://bitoftech.net/2014/06/09/angularjs-token-authentication-using-asp-net-web-api-2-owin-asp-net-identity/

一切似乎除了一兩件事，做工精細：OWIN基於令牌的認證不允許OPTIONS請求on/token端點。 Web API返回400錯誤請求，並且整個瀏覽器應用程序停止發送POST請求以獲取令牌。

我已經在示例項目中啓用了應用程序中的所有CORS。下面一些代碼，可能是相關的：

public class Startup 
    { 
     public static OAuthBearerAuthenticationOptions OAuthBearerOptions { get; private set; } 

     public void Configuration(IAppBuilder app) 
     { 
      AreaRegistration.RegisterAllAreas(); 
      UnityConfig.RegisterComponents(); 
      GlobalConfiguration.Configure(WebApiConfig.Register); 
      FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters); 
      RouteConfig.RegisterRoutes(RouteTable.Routes); 
      BundleConfig.RegisterBundles(BundleTable.Bundles); 

      HttpConfiguration config = new HttpConfiguration(); 

      app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll); 

      ConfigureOAuth(app); 

      WebApiConfig.Register(config); 

      app.UseWebApi(config); 

      Database.SetInitializer(new ApplicationContext.Initializer()); 
     } 

     public void ConfigureOAuth(IAppBuilder app) 
     { 
      //use a cookie to temporarily store information about a user logging in with a third party login provider 
      app.UseExternalSignInCookie(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ExternalCookie); 
      OAuthBearerOptions = new OAuthBearerAuthenticationOptions(); 

      OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions() 
      { 
       AllowInsecureHttp = true, 
       TokenEndpointPath = new PathString("/token"), 
       AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(60), 
       Provider = new SimpleAuthorizationServerProvider(), 
       RefreshTokenProvider = new SimpleRefreshTokenProvider() 
      }; 

      // Token Generation 
      app.UseOAuthAuthorizationServer(OAuthServerOptions); 
      app.UseOAuthBearerAuthentication(OAuthBearerOptions); 
     } 
    } 

下面是我的javascript登錄功能（我爲此使用angularjs）

var _login = function (loginData) { 

     var data = "grant_type=password&username=" + loginData.userName + "&password=" + loginData.password; 

     data = data + "&client_id=" + ngAuthSettings.clientId; 

     var deferred = $q.defer(); 

     $http.post(serviceBase + 'token', data, { headers: { 'Content-Type': 'application/x-www-form-urlencoded' } }).success(function (response) { 

     localStorageService.set('authorizationData', { token: response.access_token, userName: loginData.userName, refreshToken: response.refresh_token, useRefreshTokens: true }); 
     _authentication.isAuth = true; 
     _authentication.userName = loginData.userName; 
     _authentication.useRefreshTokens = loginData.useRefreshTokens; 

     deferred.resolve(response); 

     }).error(function (err, status) { 
      _logOut(); 
      deferred.reject(err); 
     }); 

     return deferred.promise; 
    }; 

    var _logOut = function() { 

     localStorageService.remove('authorizationData'); 

     _authentication.isAuth = false; 
     _authentication.userName = ""; 
     _authentication.useRefreshTokens = false; 

    }; 

Answer 1

解決它。問題不是通過OPTIONS請求頭髮送訪問控制請求方法

Answer 2

我今天在這個問題上已經失去了一些時間。最後我想我已經找到了解決方案。您OAuthAuthorizationServerProvider內

覆蓋方法：

public override Task MatchEndpoint(OAuthMatchEndpointContext context) 
{ 
    if (context.IsTokenEndpoint && context.Request.Method == "OPTIONS") 
    { 
     context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" }); 
     context.OwinContext.Response.Headers.Add("Access-Control-Allow-Headers", new[] { "authorization" }); 
     context.RequestCompleted(); 
     return Task.FromResult(0); 
    } 

    return base.MatchEndpoint(context); 
} 

這似乎做三件所需的東西：

• 力auth服務器響應選項200（OK）HTTP狀態請求，
• 通過設置允許請求來自任何地方Access-Control-Allow-Origin
• 允許Authorization頭設置在subseq通過設置的向上請求Access-Control-Allow-Headers

經過這些步驟後，角度最終在使用OPTIONS方法請求令牌端點時表現正確。返回OK狀態，它重複使用POST方法獲取完整令牌數據的請求。

Answer 3

這應該做的伎倆：

app.UseCors(CorsOptions.AllowAll);