如果未提供令牌,OWIN 配置不会触发 Not Authorize
OWIN Configuration not firing Not Authorize if no token is provided
我像这样配置了我的 OWIN 启动 class :
public class Startup
{
public void Configuration(IAppBuilder app)
{
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=316888
app.UseActiveDirectoryFederationServicesBearerAuthentication(
new ActiveDirectoryFederationServicesBearerAuthenticationOptions
{
MetadataEndpoint = ConfigurationManager.AppSettings["ida:AdfsMetadataEndpoint"],
TokenValidationParameters = new TokenValidationParameters()
{
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"],
ValidIssuer = ConfigurationManager.AppSettings["ida:Issuer"]
}
}
);
}
}
Global.asax.cs :
public class WebApiApplication : HttpApplication
{
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
GlobalConfiguration.Configure(WebApiConfig.Register);
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
}
}
还有我的控制器:
[RoutePrefix("v1/onboarding")]
public class OnboardingController : ApiController
{
[Route("client")]
[HttpGet]
public HttpResponseMessage CreateClient([FromUri] string CIFID)
{
return new HttpResponseMessage(HttpStatusCode.Created);
}
}
但是当我使用 postman 调用没有 Bearer 令牌的 GET /client 时,调用继续并且我得到我的 201 响应状态。
如果我不提供不记名令牌,应该会触发 403 未授权状态码,对吗?
向控制器添加了 [Authorize] 属性。
我像这样配置了我的 OWIN 启动 class :
public class Startup
{
public void Configuration(IAppBuilder app)
{
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=316888
app.UseActiveDirectoryFederationServicesBearerAuthentication(
new ActiveDirectoryFederationServicesBearerAuthenticationOptions
{
MetadataEndpoint = ConfigurationManager.AppSettings["ida:AdfsMetadataEndpoint"],
TokenValidationParameters = new TokenValidationParameters()
{
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"],
ValidIssuer = ConfigurationManager.AppSettings["ida:Issuer"]
}
}
);
}
}
Global.asax.cs :
public class WebApiApplication : HttpApplication
{
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
GlobalConfiguration.Configure(WebApiConfig.Register);
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
}
}
还有我的控制器:
[RoutePrefix("v1/onboarding")]
public class OnboardingController : ApiController
{
[Route("client")]
[HttpGet]
public HttpResponseMessage CreateClient([FromUri] string CIFID)
{
return new HttpResponseMessage(HttpStatusCode.Created);
}
}
但是当我使用 postman 调用没有 Bearer 令牌的 GET /client 时,调用继续并且我得到我的 201 响应状态。
如果我不提供不记名令牌,应该会触发 403 未授权状态码,对吗?
向控制器添加了 [Authorize] 属性。