你如何消耗.NET应用WebApi2内的OAuth2令牌请求额外的参数

本文介绍了你如何消耗.NET应用WebApi2内的OAuth2令牌请求额外的参数的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我有一个大的.NET MVC 5网络解决方案的API具体的项目。我利用现成的WebApi2模板，通过API用户进行身份验证。使用个人账户进行身份验证，以获得访问令牌所需的请求体是：

I have an api specific project in a large .net MVC 5 web solution. I am utilizing the WebApi2 templates out of the box to authenticate a user through the api. Using individual accounts to authenticate, the request body required to get an access token is:

grant_type=password&username={someuser}&password={somepassword}

这正常工作。

不过，我需要一个第三维添加到脚手架方法GrantResourceOwnerCredentials。除了检查用户名/密码，我需要添加设备ID，这是为了限制从用户帐户到一个特定的设备访问。什么是不清晰的是如何将这些额外的请求参数添加到已定义的OAuthGrantResourceOwnerCredentialsContext。这方面目前已经制造出室用户名和密码，但显然我需要包括更多。

However, I need to add a 3rd dimension to the scaffolded method "GrantResourceOwnerCredentials". In addition to checking the username/password, i need to add a device id, which is meant to restrict access from a user account to a specific device. What's not clear is how to add these extra request parameters to the already defined "OAuthGrantResourceOwnerCredentialsContext". This context currently makes room for UserName and Password, but obviously i'll need to include more.

我的问题很简单，就是有延长的OWIN的OAuth2令牌请求登录要求，包括更多数据的标准方法是什么？而且，你会怎么做可靠，在.NET环境WebApi2？

My question is simply, is there a standard way to extend the login requirements for the OWIN OAuth2 token request to include more data? And, how would you reliably do that in a .NET WebApi2 environment?

推荐答案

由于通常的情况是，我找到了答案提交问题后，立即...

As it often is the case, I found the answer immediately after submitting the question...

ApplicationOAuthProvider.cs包含下列code外的开箱

ApplicationOAuthProvider.cs contains the following code out-of-the-box

public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
    using (UserManager<IdentityUser> userManager = _userManagerFactory())
    {
        IdentityUser user = await userManager.FindAsync(context.UserName, context.Password);

        if (user == null)
        {
            context.SetError("invalid_grant", "The user name or password is incorrect.");
            return;
        }

        ClaimsIdentity oAuthIdentity = await userManager.CreateIdentityAsync(user,
            context.Options.AuthenticationType);
        ClaimsIdentity cookiesIdentity = await userManager.CreateIdentityAsync(user,
            CookieAuthenticationDefaults.AuthenticationType);
        AuthenticationProperties properties = CreateProperties(context.UserName, data["udid"]);
        AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties);
        context.Validated(ticket);
        context.Request.Context.Authentication.SignIn(cookiesIdentity);
    }
}

通过简单地添加

var data = await context.Request.ReadFormAsync();

在方法中，您可以访问所有的变量发布在请求体，并为你喜欢使用它们。就我而言，我立刻把它放在用户空检查后执行更严格的安全检查。

within the method, you can access all posted variables in the request body and use them as you like. In my case, I placed it immediately after the null-check on the user to perform a more restrictive security check.

希望这可以帮助别人！

这篇关于你如何消耗.NET应用WebApi2内的OAuth2令牌请求额外的参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！