WebForm 用授权码替换 OAUTH2 隐式流程
WebForm replace OAUTH2 implicit flow with Authorization Code
我想知道 ASP.NET 4.7 WebForm 应用程序是否可以使用带有代码交换证明密钥 (PKCE) 的授权代码流来使用 OAUTH 身份验证,以便不在客户端。
这是目前在Startup.Auth.cs class中使用的代码:
using System;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using Microsoft.Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using Microsoft.IdentityModel.Tokens;
using Microsoft.Owin.Security.OpenIdConnect;
using Microsoft.Owin.Security.Notifications;
using Owin;
using System.Threading.Tasks;
using System.Web;
public partial class Startup
{
string clientId = System.Configuration.ConfigurationManager.AppSettings["ClientId"];
string redirectUri = System.Configuration.ConfigurationManager.AppSettings["RedirectUri"];
static string tenant = System.Configuration.ConfigurationManager.AppSettings["Tenant"];
string authority = String.Format(System.Globalization.CultureInfo.InvariantCulture, System.Configuration.ConfigurationManager.AppSettings["Authority"], tenant);
public void ConfigureAuth(IAppBuilder app)
{
var provider = new CookieAuthenticationProvider();
provider.OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, User>(
validateInterval: TimeSpan.FromMinutes(60),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager));
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
//Workaround for Katana bug #197
app.UseKentorOwinCookieSaver();
//******************************
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
SlidingExpiration = true,
ExpireTimeSpan = TimeSpan.FromMinutes(60),
LoginPath = new PathString("/Account/Login"),
CookieSecure = CookieSecureOption.Always,
Provider = provider
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// Sets the ClientId, authority, RedirectUri as obtained from web.config
ClientId = clientId,
Authority = authority,
RedirectUri = redirectUri,
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive,
PostLogoutRedirectUri = redirectUri,
Scope = OpenIdConnectScope.OpenIdProfile,
ResponseType = OpenIdConnectResponseType.IdToken,
TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = false
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
AuthorizationCodeReceived = (context) =>
{
return Task.FromResult(0);
},
SecurityTokenValidated = (context) =>
{
return Task.FromResult(0);
},
SecurityTokenReceived = (context) =>
{
return Task.FromResult(0);
}
}
}
);
}
...
}
有没有办法做到这一点,或者也许没有必要,因为“授权代码”流程仅在单页应用程序中提高安全性?
参考:https://auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use
应该可以正常工作 - 流程由 response_type 字段确定:
隐式流将使用 'token' 或 'token id_token' - 看起来您没有使用它。建议避免包含令牌,因为 URL 中的 returns 个令牌可能会泄漏
通过 'code' 使用代码流 - 尽管我相信 MS 库可能要求您使用 'code id_token' 的混合流。两者都是安全设计。
单页应用程序需要 PKCE,因为它们不能存储客户端密码。对于您的服务器端应用程序,它不太重要,因为秘密不会透露给浏览器。我认为那些 MS 服务器端库不支持 PKCE。
我想知道 ASP.NET 4.7 WebForm 应用程序是否可以使用带有代码交换证明密钥 (PKCE) 的授权代码流来使用 OAUTH 身份验证,以便不在客户端。
这是目前在Startup.Auth.cs class中使用的代码:
using System;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using Microsoft.Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using Microsoft.IdentityModel.Tokens;
using Microsoft.Owin.Security.OpenIdConnect;
using Microsoft.Owin.Security.Notifications;
using Owin;
using System.Threading.Tasks;
using System.Web;
public partial class Startup
{
string clientId = System.Configuration.ConfigurationManager.AppSettings["ClientId"];
string redirectUri = System.Configuration.ConfigurationManager.AppSettings["RedirectUri"];
static string tenant = System.Configuration.ConfigurationManager.AppSettings["Tenant"];
string authority = String.Format(System.Globalization.CultureInfo.InvariantCulture, System.Configuration.ConfigurationManager.AppSettings["Authority"], tenant);
public void ConfigureAuth(IAppBuilder app)
{
var provider = new CookieAuthenticationProvider();
provider.OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, User>(
validateInterval: TimeSpan.FromMinutes(60),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager));
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
//Workaround for Katana bug #197
app.UseKentorOwinCookieSaver();
//******************************
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
SlidingExpiration = true,
ExpireTimeSpan = TimeSpan.FromMinutes(60),
LoginPath = new PathString("/Account/Login"),
CookieSecure = CookieSecureOption.Always,
Provider = provider
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// Sets the ClientId, authority, RedirectUri as obtained from web.config
ClientId = clientId,
Authority = authority,
RedirectUri = redirectUri,
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive,
PostLogoutRedirectUri = redirectUri,
Scope = OpenIdConnectScope.OpenIdProfile,
ResponseType = OpenIdConnectResponseType.IdToken,
TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = false
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
AuthorizationCodeReceived = (context) =>
{
return Task.FromResult(0);
},
SecurityTokenValidated = (context) =>
{
return Task.FromResult(0);
},
SecurityTokenReceived = (context) =>
{
return Task.FromResult(0);
}
}
}
);
}
...
}
有没有办法做到这一点,或者也许没有必要,因为“授权代码”流程仅在单页应用程序中提高安全性?
参考:https://auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use
应该可以正常工作 - 流程由 response_type 字段确定:
隐式流将使用 'token' 或 'token id_token' - 看起来您没有使用它。建议避免包含令牌,因为 URL 中的 returns 个令牌可能会泄漏
通过 'code' 使用代码流 - 尽管我相信 MS 库可能要求您使用 'code id_token' 的混合流。两者都是安全设计。
单页应用程序需要 PKCE,因为它们不能存储客户端密码。对于您的服务器端应用程序,它不太重要,因为秘密不会透露给浏览器。我认为那些 MS 服务器端库不支持 PKCE。