我以VS2013 SPA模板为例,但没有使用Bearer代币(这可能是问题所在,但如果可能的话,我希望只使用cookie)。
以下是我的API控制器中相关操作方法的精简版本:
[HttpGet]
[AllowAnonymous]
public async Task<IHttpActionResult> ExternalLogin(string provider, string error = null)
{
if (!User.Identity.IsAuthenticated)
{
return new ChallengeResult(provider, this);
}
ExternalLoginData externalLogin = ExternalLoginData.FromIdentity(User.Identity as ClaimsIdentity);
// ...do stuff with externalLogin data
}
以下是请求的基本流程:
用户点击Facebook按钮,发送GET到/api/externaloin?provider=Facebook
User.Identity.IsAuthenticated返回false->返回401,中间件将其转换为302,并将"Location"标头设置为facebook登录页面
浏览器转到facebook登录页面(
https://www.facebook.com/dialog/oauth?response_type=code&client_id={myClientId}&redirect_uri=http%3A%2F%2Flocalhost%3A54819%2Fsignin-facebook&scope=user_birthday&state={someStateCode})用户通过Facebook登录->导致浏览器调用"redirect_uri",但现在查询字符串中有"code"one_answers"state"参数,即
http://localhost:54819/signin-facebook?code={someCode}&state={someStateCode}对"redirect_uri"的调用响应是一个302,位置标头设置回我的应用程序,还包含两个"设置Cookie"标头:
- 位置:
http://localhost:54819/api/en-gb/account/externallogin?provider=Facebook - 设置Cookie:.AspNet.Correlation.Facebook=;expires=1970年1月1日星期四00:00:00 GMT
- 设置Cookie:.AspNet.ExternalCookie=Rv01CHd2onYtN_MHw2Bt71JSaOP71uRk7AP6kSilnAg7djXMh5fbZxlRCPuZhy8inEF7ChNB261WVU3LGDuIaQmMXgz7tqXeNI-ji8qQFi2d64a720PbRVpWnkuHm2m8L87fkJAGQMJOku5gMrc0EZJfKNggjXiLv-cVo7PEzNch-CqcCPHP0KBo7tGhDTbgJt-RvTzkB1NL2JBc23eiaeda70oAW4P0Nyy j_i9mLUexHXz8Qooy9CBoLrN7Z198H_cawBfiMMF0tK1YFee2eH_TQxdmdKkUFVRz58EeIKyKUEEDswbQA9evPEHpD8BIlJPXi6R2scC44_INufXuKjHOt7LW3-PRkUGbEWCWOn4d1B4FkHR_xOHtRpGpIdZU14xJLLiyFYKR0XxJiRlRIph8KKYnZHy61wMOl2yznoFqq3rzHOGhZ1xXEKmUlByiawPbNpdS9pNZVSHlGMbiz0FsOf4_EVAKEXRQyxEbjBBXD_5Ne6f7SpBqE;路径=/;HttpOnly
- 位置:
然后,浏览器从步骤5(返回到我的应用程序)向Location标头中的URL发送GET请求,并使用以下cookie(根据上述"设置cookie"指令):
- Cookie:.AspNet.ExternalCookie=Rv01CHd2onYtN_MHw2Bt71JSaOP71uRk7AP6kSilnAg7djXMh5fbZxlRCPuZhy8inEF7ChNB261WVU3LGDuIaQmMXgz7tqXeNI-ji8qQFi2d64a720PbRVpWnkuHm2m8L87fkJAGQMJOku5gMrc0EZJfKNggjXiLv-cVo7PEzNch-CqcCPHP0KBo7tGhDTbgJt-RvTzkB1NL2JBc23eiaeda70oAW4P0Nyy j_i9mLUexHXz8Qooy9CBoLrN7Z198H_cawBfiMMF0tK1YFee2eH_TQxdmdKkUFVRz58EeIKyKUEEDswbQA9evPEHpD8BIlJPXi6R2scC44_INufXuKjHOt7LW3-PRkUGbEWCWOn4d1B4FkHR_xOHtRpGpIdZU14xJLLiyFYKR0XxJiRlRIph8KKYnZHy61wMOl2yznoFqq3rzHOGhZ1xXEKmUlByiawPbNpdS9pNZVSHlGMbiz0FsOf4_EVAKEXRQyxEbjBBXD_5Ne6f7SpBqE
问题:User.Identity.IsAuthenticated检查在此阶段返回False(事实上,User字段基本为空)
我本以为,假设AspNet.ExternalCookie肯定是在步骤6的请求中发送的,那么用户就可以通过身份验证了。
那么,有人知道中间件在这个阶段会寻找什么来解码/解密/反序列化cookie并使用户饱和吗???
这是启动。我有:
public void ConfigureAuth(IAppBuilder app)
{
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
//AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
AuthenticationType = Constants.AuthenticationTypes.MchAdminApplicationCookie,
SlidingExpiration = true,
ExpireTimeSpan = new TimeSpan(10, 0, 0)
});
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
//AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
AuthenticationType = Constants.AuthenticationTypes.MchApiApplicationCookie,
SlidingExpiration = true,
ExpireTimeSpan = new TimeSpan(10, 0, 0)
});
var facebook = new FacebookAuthenticationOptions
{
AppId = "mycode",
AppSecret = "mysecret",
AuthenticationType = "Facebook",
SignInAsAuthenticationType = DefaultAuthenticationTypes.ExternalCookie,
Provider = new FacebookAuthenticationProvider
{
OnAuthenticated = async ctx =>
{
if (ctx.User["birthday"] != null)
{
ctx.Identity.AddClaim(new Claim(ClaimTypes.DateOfBirth, ctx.User["birthday"].ToString()));
}
}
}
};
facebook.Scope.Add("user_birthday");
app.UseFacebookAuthentication(facebook);
}
我遇到了同样的问题。您应该为ExternalLogin操作添加两个属性:
[OverrideAuthentication]
[HostAuthentication(DefaultAuthenticationTypes.ExternalCookie)]