在ASP.NET 5中将声明与OpenIdConnect.Server一起使用

Question

在过去的7天中，我尝试使用OpenIdConnect.Server资源所有者流来设置ASP.NET 5 WebApi 。

我或多或少成功地生成了令牌并访问了[Authorize]受保护的操作。

但是，当我尝试访问时this.User.Identity.Claims，它是空的。我现在正在使用ASP.NET 5，beta6（在升级到最新的beta7并等待其正式发布时遇到了麻烦）

在Startup.cs中，我得到了以下内容：

public void ConfigureServices(IServiceCollection services)
{
    services.AddCaching();

    services.AddEntityFramework()
        .AddSqlServer()
        .AddDbContext<AuthContext>(options =>
        {
            options.UseSqlServer(Configuration.Get("Data:DefaultConnection:ConnectionString"));
        });

    services.AddIdentity<AuthUser, AuthRole>(
        options => options.User = new Microsoft.AspNet.Identity.UserOptions
        {
            RequireUniqueEmail = true,
            UserNameValidationRegex = "^[a-zA-Z0-9@_\\.-]+$"
        })
        .AddEntityFrameworkStores<AuthContext, Guid>()
        .AddDefaultTokenProviders();

    services.ConfigureCors(configure =>
    {
        configure.AddPolicy("CorsPolicy", builder =>
        {
            builder.WithOrigins("http:/localhost/", "http://win2012.bludev.com/");
        });
    });

    services.AddScoped<IAuthRepository, AuthRepository>();
}

    public void Configure(IApplicationBuilder app)
    {
        var factory = app.ApplicationServices.GetRequiredService<ILoggerFactory>();
        factory.AddConsole();

        app.UseStaticFiles();

        app.UseOAuthBearerAuthentication(options =>
        {
            options.Authority = "http://win2012.bludev.com/api/auth/";
            options.Audience = "http://win2012.bludev.com/";

            options.AutomaticAuthentication = true;

            options.TokenValidationParameters = new TokenValidationParameters()
            {
                RequireExpirationTime = true,
                RequireSignedTokens = true,
                RoleClaimType = ClaimTypes.Role,
                NameClaimType = ClaimTypes.NameIdentifier,

                ValidateActor = true,
                ValidateAudience = false,
                ValidateIssuer = true,
                ValidateLifetime = false,
                ValidateIssuerSigningKey = true,
                ValidateSignature = true,

                ValidAudience = "http://win2012.bludev.com/",
                ValidIssuer = "http://win2012.bludev.com/"
            };
        });

        app.UseOpenIdConnectServer(options =>
        {
            options.Issuer = new Uri("http://win2012.bludev.com/api/auth/");
            options.AllowInsecureHttp = true;
            options.AuthorizationEndpointPath = PathString.Empty;
            options.Provider = new AuthorizationProvider();
            options.ApplicationCanDisplayErrors = true;

            // Note: in a real world app, you'd probably prefer storing the X.509 certificate
            // in the user or machine store. To keep this sample easy to use, the certificate
            // is extracted from the Certificate.pfx file embedded in this assembly.
            options.UseCertificate(
                assembly: typeof(Startup).GetTypeInfo().Assembly,
                resource: "AuthExample.Certificate.pfx",
                password: "Owin.Security.OpenIdConnect.Server");
        });

        app.UseIdentity();

        app.UseMvc();
    }
}

我曾经用过，app.UseOAuthBearerAuthentication因为我无法app.UseOpenIdConnectAuthentication工作，我只能在控制台中得到以下信息：

请求：/ admin / user /警告：[Microsoft.AspNet.Authentication.OpenIdConnect.OpenIdConnectAuthentica tionMiddleware] OIDCH_0004：OpenIdConnectAuthenticationHandler：message.State为null或为空。请求：/.well-known/openid-configuration警告：[Microsoft.AspNet.Authentication.OpenIdConnect.OpenIdConnectAuthentica tionMiddleware] OIDCH_0004：OpenIdConnectAuthenticationHandler：message.State为null或为空。

和超时后的异常

错误：[Microsoft.AspNet.Server.WebListener.MessagePump] ProcessRequestAsync System.InvalidOperationException：IDX10803：无法创建以从以下位置获取配置：http ://win2012.bludev.com/api/auth/.well-known/openid 配置 '。Microsoft.IdentityModel.Protocols.ConfigurationManager`1.d__24.MoveNext（）处的Microsoft.IdentityModel.Logging.LogHelper.Throw（字符串消息，类型exceptionType，EventLevel logLevel，Exception innerException）-从上一位置开始的堆栈跟踪结束在System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess（任务任务）处引发异常-System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNot ification（任务任务）...

使用此配置 UseOpenIdConnectAuthentication

app.UseOpenIdConnectAuthentication(options =>
{
    options.AuthenticationScheme = OpenIdConnectAuthenticationDefaults.AuthenticationScheme;

    options.Authority = "http://win2012.bludev.com/api/auth/";
    options.Audience = "http://win2012.bludev.com/";
    options.Resource = "http://win2012.bludev.com/";

    options.AutomaticAuthentication = true;

    options.TokenValidationParameters = new TokenValidationParameters()
    {
        RequireExpirationTime = true,
        RequireSignedTokens = true,
        RoleClaimType = ClaimTypes.Role,
        NameClaimType = ClaimTypes.NameIdentifier,

        ValidateActor = true,
        ValidateAudience = false,
        ValidateIssuer = true,
        ValidateLifetime = false,
        ValidateIssuerSigningKey = true,
        ValidateSignature = true
    };

});

因此，真正的问题是：

1. 如何获得资源所有者流程来处理索赔
2. ValidateLifetime = true否则ValidateAudience = true会引发异常并导致Http Code 500响应而不会出现打印错误。
3. 如何将身份验证失败转换为有意义的400/403代码，并为用户显示json或xml响应（取决于客户端首选项）？（在这种情况下，JavaScript是客户端）？