c# - 使用 OAuthAuthorizationServer 自定义允许的授权类型

Question

我正在为 Web api 实现 OAuth 2.0。最初，我想允许的唯一授权类型是资源所有者密码授权类型的“密码”。将来，我可能会扩展到其他股票授予类型，甚至构建自定义类型。为了实现，我在我的 Startup.cs 类中创建了以下代码。我没有指定授权端点，只是一个 token 端点。

public partial class Startup
{
    public void Configuration(IAppBuilder app)
    {
        ConfigureAuth(app);
    }

    public void ConfigureAuth(IAppBuilder app)
    {

        var myOAuthServerProvider = new MyOAuthServerProvider();

        app.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions
        {

            // mark true if you are not on https channel. This should never be true for Production.
            AllowInsecureHttp = true,

            //Enable a 60 minute expiration time.
            AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(60),

            // Allows the authorization server to alter the response coming out so it can report a 401.
            AuthenticationMode = AuthenticationMode.Active,

            // Provider needs to be the custom class that performs our authentication. 
            Provider = myOAuthServerProvider,

            // This specifies the endpoint path where you can generate a token. 
            TokenEndpointPath = new PathString("/api/token"),

        });
    }
}

对于 MyOAuthServerProvider 类，我应该从 OAuthAuthorizationServerProvider 继承并覆盖特定方法以仅允许我想要启用的授权类型，还是应该从头开始从 IOAuthAuthorizationServerProvider 接口(interface)实现 MyOAuthServerProvider？

Answer 1

要只允许您想要的授权类型，从 OAuthAuthorizationServerProvider 继承就足够了。 .然后你需要重写两个方法:

验证客户端身份验证 - 验证请求的来源是注册的 client_id

GrantResourceOwnerCredentials - 验证提供的 username和 password当grant_type设置为 password

有关更多信息，请参阅 的文档。 GrantResourceOwnerCredentials 方法:

Called when a request to the Token endpoint arrives with a "grant_type" of "password". This occurs when the user has provided name and password credentials directly into the client application's user interface, and the client application is using those to acquire an "access_token" and optional "refresh_token". If the web application supports the resource owner credentials grant type it must validate the context.Username and context.Password as appropriate. To issue an access token the context.Validated must be called with a new ticket containing the claims about the resource owner which should be associated with the access token. The application should take appropriate measures to ensure that the endpoint isn’t abused by malicious callers. The default behavior is to reject this grant type.