ASP.NET Web API and OpenID Connect: how to get Access Token from Authorization Code
I try to get OpenID Connect running... A user of my Web API managed to get an Authorization Code of a OpenID Connect Provider. How am I supposed to pass this code to my ASP.NET
-
You need to bypass the default owin validation to do custom Authorization:
new OpenIdConnectAuthenticationOptions { ..., TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters { ValidateIssuer = false },讨论(0) -
Looks like the recommended approach is to use the
AuthorizationCodeReceivedevent to exchange the Auth code for an Access Token. Vittorio has a blog entry that outlines the overall flow.Here's an example from this sample app on GitHub of the
Startup.Auth.cscode to set this up:app.UseOpenIdConnectAuthentication( new OpenIdConnectAuthenticationOptions { ClientId = clientId, Authority = Authority, Notifications = new OpenIdConnectAuthenticationNotifications() { AuthorizationCodeReceived = (context) => { var code = context.Code; ClientCredential credential = new ClientCredential(clientId, appKey); string tenantID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value; string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value; AuthenticationContext authContext = new AuthenticationContext(string.Format("https://login.windows.net/{0}", tenantID), new EFADALTokenCache(signedInUserID)); AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode( code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceID); return Task.FromResult(0); }, ... }Note: The
AuthorizationCodeReceivedevent is invoked only once when authorization really takes place. If the auth code is already generated and stored, this event is not invoked. You have to logout or clear cookies to force this event to take place.讨论(0) -
BenV already answered the question, but there's more to consider.
class partial Startup { public void ConfigureAuth(IAppBuilder app) { // ... app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions { ClientId = clientId, Authority = authority, Notifications = new OpenIdConnectAuthenticationNotifications() { AuthorizationCodeReceived = (context) => { string authorizationCode = context.Code; // (tricky) the authorizationCode is available here to use, but... return Task.FromResult(0); } } } } }Two problems:
- First of all,
authorizationCodewill get expired quickly. There's no sense in storing it. - The second problem is that
AuthorizationCodeReceivedevent will not get fired for any of the page reloads as long as authorizationCode is not expired and stored inside the session.
What you need to do is to call
AcquireTokenByAuthorizationCodeAsyncwhich will cache it and handle properly insideTokenCache.DefaultShare:AuthorizationCodeReceived = (context) => { string authorizationCode = context.Code; AuthenticationResult tokenResult = await context.AcquireTokenByAuthorizationCodeAsync(authorizationCode, new Uri(redirectUri), credential); return Task.FromResult(0); }Now, before every call to the resource, invoke
AcquireTokenSilentAsyncto get the accessToken (it will use TokenCache or silently use refreshToken ). If token is expired, it will raiseAdalSilentTokenAcquisitionExceptionexception (invoke access code renew procedure).// currentUser for ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier") AuthenticationResult authResult = await context.AcquireTokenSilentAsync(resourceUri, credential, currentUser);Calling
AcquireTokenSilentAsyncis very fast if token is cached.讨论(0) - First of all,
加载中...
- 热议问题