我想知道如果它是可能的ASP。. NET 4.7 WebForm应用程序使用OAUTH身份验证,使用带有代码交换证明密钥(PKCE)的授权码流,以避免在客户端暴露令牌。
这是当前在Startup.Auth.cs类中使用的代码:
using System;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using Microsoft.Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using Microsoft.IdentityModel.Tokens;
using Microsoft.Owin.Security.OpenIdConnect;
using Microsoft.Owin.Security.Notifications;
using Owin;
using System.Threading.Tasks;
using System.Web;
public partial class Startup
{
string clientId = System.Configuration.ConfigurationManager.AppSettings["ClientId"];
string redirectUri = System.Configuration.ConfigurationManager.AppSettings["RedirectUri"];
static string tenant = System.Configuration.ConfigurationManager.AppSettings["Tenant"];
string authority = String.Format(System.Globalization.CultureInfo.InvariantCulture, System.Configuration.ConfigurationManager.AppSettings["Authority"], tenant);
public void ConfigureAuth(IAppBuilder app)
{
var provider = new CookieAuthenticationProvider();
provider.OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, User>(
validateInterval: TimeSpan.FromMinutes(60),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager));
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
//Workaround for Katana bug #197
app.UseKentorOwinCookieSaver();
//******************************
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
SlidingExpiration = true,
ExpireTimeSpan = TimeSpan.FromMinutes(60),
LoginPath = new PathString("/Account/Login"),
CookieSecure = CookieSecureOption.Always,
Provider = provider
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// Sets the ClientId, authority, RedirectUri as obtained from web.config
ClientId = clientId,
Authority = authority,
RedirectUri = redirectUri,
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive,
PostLogoutRedirectUri = redirectUri,
Scope = OpenIdConnectScope.OpenIdProfile,
ResponseType = OpenIdConnectResponseType.IdToken,
TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = false
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
AuthorizationCodeReceived = (context) =>
{
return Task.FromResult(0);
},
SecurityTokenValidated = (context) =>
{
return Task.FromResult(0);
},
SecurityTokenReceived = (context) =>
{
return Task.FromResult(0);
}
}
}
);
}
...
}
是否有办法做到这一点,或者可能没有必要,因为"授权码"流仅在单页应用程序中提高安全性?
裁判:https://auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use
应该可以正常工作-流由response_type字段决定:
-
隐式流将使用'token'或'token id_token' -它看起来不像你在使用它。建议避免包含令牌,因为这会在url中返回令牌,并且它们可能会泄漏
-
通过'code'使用代码流-尽管我相信MS库可能要求您使用'code id_token'的混合流。两者都是安全的设计。
PKCE是单页应用程序所需要的,因为它们不能存储客户端秘密。对于你的服务器端应用来说,这就不那么重要了,因为这个秘密并没有透露给浏览器。我不认为那些MS服务器端库支持PKCE。