All geek questions in one place

OAuth Token Icon Does Not Work

I have a minimal setup of an auth provider that sets claim identifiers

public class SimpleAuthorizationProvider : OAuthAuthorizationServerProvider { public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context) { context.Validated(); } public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { if (context.UserName != context.Password) { context.SetError("invalid_grant", "The user name or password is incorrect."); return; } var identity = new ClaimsIdentity(context.Options.AuthenticationType); identity.AddClaim(new Claim("sub", context.UserName)); identity.AddClaim(new Claim("role", "user")); context.Validated(identity); } }

I am trying to access hello-world-api which gives an unauthorized access error.

 public class HelloWorldApiController : ApiController { [HttpGet] [Route("api/hello")] //[AllowAnonymous] [Authorize] public HttpResponseMessage FetchAllEnum() { return Request.CreateResponse(HttpStatusCode.OK, "Hello World!!!"); } }

But I get 401 / unauthorized access for the above API. I am returning the carrier token back to the web-api and I am also transferring it to the server as Bearer ABCD**** . I see that the authorization header is set when debugging in Visual Studio.

If I debug AuthorizeAttribute , I get user.Identity.IsAuthenticated as false , which actually causes the problem. But given that I see a set of authorization headers, and I asked the details of the claims in OAuthProvider , why doesn't it AuthorizeAttribute read this information?

Note. This is a web API project, so there are no references to the AuthorizeAttribute MVC attribute.

Here is the installation of OWIN:

 public static class WebApiConfig { public static HttpConfiguration Register() { var config = new HttpConfiguration(); config.MapHttpAttributeRoutes(); //config.SuppressDefaultHostAuthentication(); //tried with/without this line config.Filters.Add(new AuthorizeAttribute()); config.EnableCors(new EnableCorsAttribute("*", "*", "*", "*")); return config; } } public class OwinConfiguration { // ReSharper disable once UnusedMember.Local public void Configuration(IAppBuilder app) { ConfigureOAuth(app); app.UseCors(CorsOptions.AllowAll); app.UseWebApi(WebApiConfig.Register()); } private void ConfigureOAuth(IAppBuilder app) { var options = new OAuthAuthorizationServerOptions { AllowInsecureHttp = true, TokenEndpointPath = new PathString("/token"), AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(60), Provider = new SimpleAuthorizationProvider() }; app.UseOAuthAuthorizationServer(options); app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()); } }
+6
source share
2 answers

to make it work config.Filters.Add(new HostAuthenticationAttribute("bearer")); , you must add this line beofre authorize attribute ...

 public static HttpConfiguration Register() { var config = new HttpConfiguration(); config.MapHttpAttributeRoutes(); config.Filters.Add(new HostAuthenticationAttribute("bearer")); //added this config.Filters.Add(new AuthorizeAttribute()); config.EnableCors(new EnableCorsAttribute("*", "*", "*", "*")); return config; }
+4
source

Another possible solution that worked for me was not to use HostAuthenticationAttribute, but instead set the OWIN filter as the active filter as follows:

 var bearerOptions = new OAuthBearerAuthenticationOptions { AccessTokenFormat = new JwtFormat(validationParameters), AuthenticationMode = AuthenticationMode.Active, };
+1
source

Source: https://habr.com/ru/post/987563/

More articles:


All Articles