OWIN多应用承载令牌认证

Question

我想对VS 2013中的ASP.NET的默认单页面应用程序模板进行修改,该模板当前使用了承载令牌身份验证.该示例使用app.UseOAuthBearerTokens创建令牌服务器和中间件,以验证同一应用程序中的请求令牌.

我想做的是保留原样,但添加第二个应用程序(在IIS中绑定到同一个域,不同的路径 - 例如/ auth/*用于身份验证服务器,/ app1/*用于应用程序).对于第二个应用程序,我希望它接受第一个应用程序中的身份验证服务器发出的令牌.怎么可以实现呢？我在Startup.Auth.cs中尝试了以下内容,只是关闭了UseOAuthBearerTokens中的代码,但我得到了对[Authorize]属性的任何请求的401响应:

public partial class Startup
{
    static Startup()
    {
        PublicClientId = "self";

        UserManagerFactory = () => new UserManager<IdentityUser>(new UserStore<IdentityUser>());

        OAuthOptions = new OAuthAuthorizationServerOptions
        {
            //TokenEndpointPath = new PathString("/Token"),
            Provider = new ApplicationOAuthProvider(PublicClientId, UserManagerFactory),
            //AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
            //AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
            AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
            AuthenticationType = "ExternalBearer",
            AllowInsecureHttp = true,
        };
    }

    public static OAuthAuthorizationServerOptions OAuthOptions { get; private set; }

    public static Func<UserManager<IdentityUser>> UserManagerFactory { get; set; }

    public static string PublicClientId { get; private set; }

    // For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
    public void ConfigureAuth(IAppBuilder app)
    {
        //// Enable the application to use a cookie to store information for the signed in user
        //// and to use a cookie to temporarily store information about a user logging in with a third party login provider
        //app.UseCookieAuthentication(new CookieAuthenticationOptions());
        //app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

        OAuthBearerAuthenticationOptions bearerOptions = new OAuthBearerAuthenticationOptions();
        bearerOptions.AccessTokenFormat = OAuthOptions.AccessTokenFormat;
        bearerOptions.AccessTokenProvider = OAuthOptions.AccessTokenProvider;
        bearerOptions.AuthenticationMode = OAuthOptions.AuthenticationMode;
        bearerOptions.AuthenticationType = OAuthOptions.AuthenticationType;
        bearerOptions.Description = OAuthOptions.Description;
        bearerOptions.Provider = new CustomBearerAuthenticationProvider();
        bearerOptions.SystemClock = OAuthOptions.SystemClock;
        OAuthBearerAuthenticationExtensions.UseOAuthBearerAuthentication(app, bearerOptions);
    }
}

public class CustomBearerAuthenticationProvider : OAuthBearerAuthenticationProvider
    {
        public override Task ValidateIdentity(OAuthValidateIdentityContext context)
        {
            var claims = context.Ticket.Identity.Claims;
            if (claims.Count() == 0 || claims.Any(claim => claim.Issuer != "LOCAL AUTHORITY"))
                context.Rejected();
            return Task.FromResult<object>(null);
        }
    }

显然,我错过了第二个应用程序有一些方法可以验证令牌来自第一个应用程序的部分.某种公共签名密钥？

这仅用于概念验证.

编辑:机器密钥建议对POC演示运行良好,并且很高兴知道有AS实现选项支持其他关键场景.

我能够使用此站点生成DEMO密钥(不用于生产):http: //aspnetresources.com/tools/machineKey

并将结果放在<system.web>IIS站点中托管的每个应用程序的web.config中的元素下.我还必须删除资源服务器的Startup类中的一些特定于AS的配置选项.

Answer 1

目前,中间件(或者更确切地说是生成的令牌)并不是真正设计用于跨应用程序.对于这些场景,您应该使用真正的授权服务器(例如https://github.com/thinktecture/Thinktecture.AuthorizationServer).

也就是说,您可以通过在两个应用程序中同步机器密钥(web.config中的machineKey元素)来使其工作.但我从未尝试过.