ASP.NET 身份未正确授权
ASP.NET Identity not authorizing properly
我正在尝试创建一个简单的登录路由,这段代码可以很好地登录并将 cookie 发送到浏览器:
[Route("Login")]
[AllowAnonymous]
public async Task<IHttpActionResult> Login(UserBindingModel model)
{
if (ModelState.IsValid)
{
var user = await UserManager.FindUserAsync(model.username, model.password);
if (user != null)
{
await SignInAsync(user, true);
return Ok();
}
}
return BadRequest();
}
这是正在调用的 SignInAsync 方法:
private async Task SignInAsync(ApplicationUser user, bool isPersistent)
{
Authentication.SignOut(DefaultAuthenticationTypes.ExternalCookie);
var identity = await UserManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie);
Authentication.SignIn(new AuthenticationProperties() { IsPersistent = isPersistent }, identity);
}
这是我的身份配置:
public class ApplicationUserManager : UserManager<ApplicationUser>
{
public ApplicationUserManager(IUserStore<ApplicationUser> store)
: base(store)
{
}
public static ApplicationUserManager Create(IdentityFactoryOptions<ApplicationUserManager> options, IOwinContext context)
{
var manager = new ApplicationUserManager(new TestUserStore());
// Configure validation logic for usernames
manager.UserValidator = new UserValidator<ApplicationUser>(manager)
{
AllowOnlyAlphanumericUserNames = false,
RequireUniqueEmail = true
};
// Configure validation logic for passwords
manager.PasswordValidator = new PasswordValidator
{
RequiredLength = 6,
RequireNonLetterOrDigit = false,
RequireDigit = true,
RequireLowercase = true,
RequireUppercase = false,
};
var dataProtectionProvider = options.DataProtectionProvider;
if (dataProtectionProvider != null)
{
manager.UserTokenProvider = new DataProtectorTokenProvider<ApplicationUser>(dataProtectionProvider.Create("ASP.NET Identity"));
}
return manager;
}
public async Task<ApplicationUser> FindUserAsync(string username, string password)
{
var userStore = new TestUserStore();
ApplicationUser user = await userStore.FindByNameAsync(username, password);
return await Task.FromResult(user);
}
}
尽管这样可以将 cookie 正确地发送到浏览器并且身份验证部分可以正常工作,但每当我调用另一个 api 控制器时,我都会收到该请求未经授权的消息。我对身份框架不是很熟悉,所以我不知道发生了什么。
我的原始代码有 2 个错误
1.) 默认身份验证类型不一致。他们应该都是 ApplicationCookie
2.) 在 Web API 配置中,我不得不注释掉以下行:
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
这是将身份验证类型设置为 "Bearer",这与我的应用程序 Cookie 身份验证方法不一致,因此导致了我遇到的问题。
我正在尝试创建一个简单的登录路由,这段代码可以很好地登录并将 cookie 发送到浏览器:
[Route("Login")]
[AllowAnonymous]
public async Task<IHttpActionResult> Login(UserBindingModel model)
{
if (ModelState.IsValid)
{
var user = await UserManager.FindUserAsync(model.username, model.password);
if (user != null)
{
await SignInAsync(user, true);
return Ok();
}
}
return BadRequest();
}
这是正在调用的 SignInAsync 方法:
private async Task SignInAsync(ApplicationUser user, bool isPersistent)
{
Authentication.SignOut(DefaultAuthenticationTypes.ExternalCookie);
var identity = await UserManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie);
Authentication.SignIn(new AuthenticationProperties() { IsPersistent = isPersistent }, identity);
}
这是我的身份配置:
public class ApplicationUserManager : UserManager<ApplicationUser>
{
public ApplicationUserManager(IUserStore<ApplicationUser> store)
: base(store)
{
}
public static ApplicationUserManager Create(IdentityFactoryOptions<ApplicationUserManager> options, IOwinContext context)
{
var manager = new ApplicationUserManager(new TestUserStore());
// Configure validation logic for usernames
manager.UserValidator = new UserValidator<ApplicationUser>(manager)
{
AllowOnlyAlphanumericUserNames = false,
RequireUniqueEmail = true
};
// Configure validation logic for passwords
manager.PasswordValidator = new PasswordValidator
{
RequiredLength = 6,
RequireNonLetterOrDigit = false,
RequireDigit = true,
RequireLowercase = true,
RequireUppercase = false,
};
var dataProtectionProvider = options.DataProtectionProvider;
if (dataProtectionProvider != null)
{
manager.UserTokenProvider = new DataProtectorTokenProvider<ApplicationUser>(dataProtectionProvider.Create("ASP.NET Identity"));
}
return manager;
}
public async Task<ApplicationUser> FindUserAsync(string username, string password)
{
var userStore = new TestUserStore();
ApplicationUser user = await userStore.FindByNameAsync(username, password);
return await Task.FromResult(user);
}
}
尽管这样可以将 cookie 正确地发送到浏览器并且身份验证部分可以正常工作,但每当我调用另一个 api 控制器时,我都会收到该请求未经授权的消息。我对身份框架不是很熟悉,所以我不知道发生了什么。
我的原始代码有 2 个错误
1.) 默认身份验证类型不一致。他们应该都是 ApplicationCookie
2.) 在 Web API 配置中,我不得不注释掉以下行:
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
这是将身份验证类型设置为 "Bearer",这与我的应用程序 Cookie 身份验证方法不一致,因此导致了我遇到的问题。