我正在使用OWIN中间件开发OAuth v2授权服务器,并试图实现OAuth2授权代码授予流,但我遇到了一个问题,如果redirect_uri包含querystring参数,并且资源所有者必须进行身份验证,则我的客户端会收到错误。
客户端能够请求认证码,但当它试图将该码交换为访问令牌时,授权服务器以"HTTP状态"作为响应;400坏请求";以及以下响应主体。
{"error":"invalid_grant"}
如果redirect_uri不包含querystring参数,或者客户端在请求授权代码之前删除了这些参数,那么它就可以完美地工作。如果资源所有者已经通过授权服务器进行了身份验证,那么它也可以正常工作。
我的客户端正在使用DotNetOpenAuth和Glimpse,我可以看到redirect_uri在授权码请求和访问令牌请求之间是一致的。
Glimpse日志中的故障如下所示:
Prepared outgoing EndUserAuthorizationRequestC (2.0) message for http://localhost:61814/authorize:
client_id: localhost36618
redirect_uri: http://localhost:36618/login?redirectURL=%2FProfile
state: <state token>
scope: authentication
response_type: code
Processing incoming EndUserAuthorizationSuccessAuthCodeResponse (2.0) message:
code: <authorization code>
state: <state token>
redirectURL: /Profile
Prepared outgoing AccessTokenAuthorizationCodeRequestC (2.0) message for http://localhost:61814/token:
code: <authorization code>
redirect_uri: http://localhost:36618/login?redirectURL=%2FProfile
grant_type: authorization_code
http://localhost:61814/token returned 400 BadRequest: Bad Request
WebException from http://localhost:61814/token: {"error":"invalid_grant"}
但是,如果我从redirect_uri中省略querystring参数,它就起作用了:
Prepared outgoing EndUserAuthorizationRequestC (2.0) message for http://localhost:61814/authorize:
client_id: localhost36618
redirect_uri: http://localhost:36618/Login
state: <state token>
scope: authentication
response_type: code
Processing incoming EndUserAuthorizationSuccessAuthCodeResponse (2.0) message:
code: <authorization code>
state: <state token>
Prepared outgoing AccessTokenAuthorizationCodeRequestC (2.0) message for http://localhost:61814/token:
code: <authorization code>
redirect_uri: http://localhost:36618/Login
grant_type: authorization_code
Processing incoming AccessTokenSuccessResponse (2.0) message:
access_token: <access token>
token_type: bearer
expires_in: 3599
refresh_token: <refresh token>
类似地,如果我在使用客户端之前登录到授权服务器,它也会起作用:
Prepared outgoing EndUserAuthorizationRequestC (2.0) message for http://localhost:61814/authorize:
client_id: localhost36618
redirect_uri: http://localhost:36618/login?redirectURL=%2FProfile
state: <state token>
scope: authentication
response_type: code
Processing incoming EndUserAuthorizationSuccessAuthCodeResponse (2.0) message:
code: <authorization code>
state: <state token>
redirectURL: /Profile
Prepared outgoing AccessTokenAuthorizationCodeRequestC (2.0) message for http://localhost:61814/token:
code: <authorization code>
redirect_uri: http://localhost:36618/login?redirectURL=%2FProfile
grant_type: authorization_code
Processing incoming AccessTokenSuccessResponse (2.0) message:
access_token: <access token>
token_type: bearer
expires_in: 3599
refresh_token: <refresh token>
OWIN授权服务器的OAuthAuthorizationServerProvider对成功的访问令牌授权代码请求执行以下方法:
- 提供者.匹配终结点
- Provider.OnValidateClientAuthentication
- AuthorizationCodeProvider.Receive
- Provider.OnValidateTokenRequest
- 提供者授权代码
- Provider.OnTokenEndpoint
- AccessTokenProvider.OnCreate
- RefreshTokenProvider.OnCreate
- Provider.OnTokenEndpointResponse
然而,不成功的访问令牌授权码请求只涉及以下方法:
- 提供者.匹配终结点
- Provider.OnValidateClientAuthentication
- AuthorizationCodeProvider.Receive
AuthorizationCodeProvider.OnReceive具有以下实现:
private void ReceiveAuthenticationCode(AuthenticationTokenReceiveContext context)
{
try
{
string ticket = _repo.RemoveTicket(context.Token);
if (!string.IsNullOrEmpty(ticket))
{
context.DeserializeTicket(ticket);
}
}
catch (Exception ex)
{
var wrapper = new Exception("Receive Authentication Code Error", ex);
Logger.Error(wrapper);
}
}
在调试器中,我可以看到一个有效的Token,从_repo成功检索到序列化的Ticket,以及在方法完成之前上下文对象中的反序列化Ticket。没有引发异常。成功请求和失败请求之间的流看起来是相同的,所以我不清楚失败的是什么,诊断工具事件日志在请求处理过程中没有显示任何异常,只是在ReceiveAuthenticationCode完成后线程退出。
问题似乎出在我的测试客户端上,因为我能够使用Brent Shaffer的OAuth2 Demo PHP实时演示重现完全相同的问题。
测试客户端基于DotNetOpenAuth:
private static class Client
{
public const string Id = "username";
public const string Secret = "password";
}
private static class Paths
{
public const string AuthorizationServerBaseAddress = "http://localhost:61814";
public const string ResourceServerBaseAddress = "http://localhost:61814";
public const string AuthorizePath = "/authorize";
public const string TokenPath = "/token";
public const string ResourceServerApiMethodPath = "/getaccount";
}
public ActionResult Login(string code = "", string redirectURL = "/profile")
{
var authorizationServerUri = new Uri(Paths.AuthorizationServerBaseAddress);
var authorizationServer = new AuthorizationServerDescription
{
AuthorizationEndpoint = new Uri(authorizationServerUri, Paths.AuthorizePath),
TokenEndpoint = new Uri(authorizationServerUri, Paths.TokenPath)
};
var client = new WebServerClient(authorizationServer, Client.Id, Client.Secret);
if (!string.IsNullOrEmpty(code))
{
var apiResponse = null;
var authorizationState = client.ProcessUserAuthorization();
if (!string.IsNullOrEmpty(authorizationState?.AccessToken))
apiResponse = GetApiResponse(authorizationState, Paths.ResourceServerApiMethodPath);
if (apiResponse != null)
{
var identity = new ClaimsIdentity(new[] { new Claim("test", apiResponse),
new Claim(ClaimTypes.Role, "ResourceOwner")
}, "ApplicationCookie");
AuthMgr.SignIn(new AuthenticationProperties { IsPersistent = true }, identity);
return Redirect(redirectURL);
}
}
else
{
client.RequestUserAuthorization();
}
return View();
}
知道我对DotNetOpenAuth可能做错了什么吗?为什么我在服务器端看不到无效请求?
我解决了。获取access_token不要使用网络客户端。ProcessUserAuthorization(Request)方法。
using (var client = new HttpClient())
{
var uri = new Uri($"http://localhost:24728/ClientAuthorization?tourl={tourl}");
var httpContent = new FormUrlEncodedContent(new Dictionary<string, string>()
{
{"code", code},
{"redirect_uri", uri.AbsoluteUri},
{"grant_type","authorization_code"},
{"client_id", ClientStartupProfile.Client.ClientId},
{"client_secret", ClientStartupProfile.Client.Secret}
});
var response = await client.PostAsync(ClientStartupProfile.AuthorizationServer.TokenUri, httpContent);
var authorizationState = await response.Content.ReadAsAsync<AuthorizationState>();
//判断access_token 是否获取成功
if (!string.IsNullOrWhiteSpace(authorizationState.AccessToken))
Response.Cookies.Add(new System.Web.HttpCookie("access_token", authorizationState.AccessToken));
return Redirect(tourl);
}