OAuth 2.0 for MVC, Two Legged Implementation
OAuth 2.0 for MVC, Two Legged Implementation
OAuth 1.0 was one complicated beast. The OAuth 2.0 spec greatly simplified things, but that also had the wonderful side effect of rending all of our old OAuth 1.0 code obsolete. They say that "the only thing a pioneer gets is an arrow in the back," I disagree, I say "the thing that only a pioneer gets to have is an adventure."
For example, I got to help write this wonderful, cutting edge, open source, OAuth 2.0 implementation for MVC!
OAuth 2.0 Overview
OAuth is all about tokens. You start by getting a Request Token from the server, and then using that to secure your login information. When you have successfully logged in you will be given a role/permission specific Access Token, you will then submit this token with all of your future requests. You will also get a Refresh Token with your Access Token. Once your Access Token has expired, you can then submit your Refresh Token to get a new pair of Access and Request Tokens.
Two Legged vs Three Legged
A two legged implementation is rather straight forward, you log into the server you are trying to access. A three legged implementation allows you to gain access to a resource by authentication with a third party server. For the time being this project only supports two legged authentication.
Implementation
You must implement four classes to use this library:
- OAuthIdentityBase
- OAuthPrincipalBase
- OAuthProviderBase
- OAuthServiceBase
The first three are very small classes, requiring only a few short lines of code. The Service is the work horse where most of your code will go, but even then it only requires the implementation of four methods.
public abstract class OAuthServiceBase : ProviderBase, IOAuthService{ public static IOAuthService Instance { get; set; } public abstract OAuthResponse RequestToken(); public abstract OAuthResponse AccessToken(string requestToken, string grantType, string userName,string password, bool persistent); public abstract OAuthResponse RefreshToken(string refreshToken); public abstract bool UnauthorizeToken(string token);} |
Then of course you will need to update your Web.config:
<configuration> <configSections> <section name="oauth" type="OAuth2.Mvc.Configuration.OAuthSection, OAuth2.Mvc, Version=1.0.0.0, Culture=neutral"/> </configSections> <oauth defaultProvider="DemoProvider" defaultService="DemoService"> <providers> <add name="DemoProvider" type="OAuth2.Demo.OAuth.DemoProvider, OAuth2.Demo" /> </providers> <services> <add name="DemoService" type="OAuth2.Demo.OAuth.DemoService, OAuth2.Demo" /> </services> </oauth> <system.web> <httpModules> <add name="OAuthAuthentication" type="OAuth2.Mvc.Module.OAuthAuthenticationModule, OAuth2.Mvc, Version=1.0.0.0, Culture=neutral"/> </httpModules> </system.web></configuration> |
Securing Your Pages
That's the easy part, just add the MVC Authorize Attribute to any actions or controllers that you want to secure.
public class HomeController : Controller{ public ActionResult Index() { return View(); } [Authorize] public ActionResult Secure() { return View(); }} |
The Demo Project in Action
1.
2.
3.
4.
The Demo API in Action
- /oauth/requesttoken
- Request Params
- None
- Result
- RequestToken = a028f1895cc548af9de744f63d283f6e
- Expires = 300
- Success = true
- Request Params
- /oauth/accesstoken
- Request Params
- oauth_token = a028f1895cc548af9de744f63d283f6e
- username = tom
- password = c4e5995d4cb8b26970336b956054ac1be9cc50b3
- Result
- AccessToken = 3b23ee5f128a45c88e657ecc74c41bbc
- Expires = 300
- RefreshToken = 85126a53bca940f1ae7c9d797f63a274
- Success = true
- Request Params
- /oauth/refreshtoken
- Request Params
- refreshToken = 85126a53bca940f1ae7c9d797f63a274
- Result
- AccessToken = 8cfc317af6ed45b2b065a8fa5da3ba81
- Expires = 300
- RefreshToken = d0b4a8898d974e939ca83b55cfeabcac
- Success = true
- Request Params
- /oauth/unauthorize
- Request Params
- oauth_token = 8cfc317af6ed45b2b065a8fa5da3ba81
- Result
- Success = true
- Request Params
Additional Resources
Happy authenticating!
~ Tom
OAuth 2.0 for MVC, Two Legged Implementation的更多相关文章
- The OAuth 2.0 Authorization Framework-摘自https://tools.ietf.org/html/rfc6749
Internet Engineering T ...
- OAuth 2.0 Authorization Framework RFC
Internet Engineering Task Force (IETF) D. Hardt, Ed.Request for Comments: 6749 MicrosoftObsoletes: 5 ...
- The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework Abstract The OAuth 2.0 authorization framework enables a thi ...
- Spring Security OAuth 2.0
续·前一篇<OAuth 2.0> OAuth 2.0 Provider 实现 在OAuth 2.0中,provider角色事实上是把授权服务和资源服务分开,有时候它们也可能在同一个应用中, ...
- [转]An introduction to OAuth 2.0 using Facebook in ASP.NET Core
本文转自:http://andrewlock.net/an-introduction-to-oauth-2-using-facebook-in-asp-net-core/ This is the ne ...
- 谈谈基于OAuth 2.0的第三方认证 [下篇]
从安全的角度来讲,<中篇>介绍的Implicit类型的Authorization Grant存在这样的两个问题:其一,授权服务器没有对客户端应用进行认证,因为获取Access Token的 ...
- 谈谈基于OAuth 2.0的第三方认证 [中篇]
虽然我们在<上篇>分别讨论了4种预定义的Authorization Grant类型以及它们各自的适用场景的获取Access Token的方式,我想很多之前没有接触过OAuth 2.0的读者 ...
- OAuth 2.0 开发完全详解
--------------------------基础篇------------------------------- I:OAuth 2.0 概述 首先大家来看看国内新浪跟腾讯这两大头对OAuth ...
- IdentityServer4 实现 OpenID Connect 和 OAuth 2.0
关于 OAuth 2.0 的相关内容,点击查看:ASP.NET WebApi OWIN 实现 OAuth 2.0 OpenID 是一个去中心化的网上身份认证系统.对于支持 OpenID 的网站,用户不 ...
随机推荐
- 纯CSS美化的checkbox 和 radio
html <!DOCTYPE HTML> <html> <head> <title>纯CSS3实现自定义美化复选框和单选框</title> ...
- phpadmin
一晚上都在调试数据库,都要疯了,整理如下: 0.Apache服务器的443端口与VMware的冲突,所以要更改配置文件.设为440就可以(这个随意). 1.因为要远程访问,默认密码为空,所以首先给ro ...
- Android4.0中蓝牙适配器state machine(状态机)的分析
今天晓东和大家来一起看一下Android4.0中蓝牙适配器(Bluetooth Adapter)的状态机变化的过程.首先,我们需要了解一下,蓝牙适配器究竟有哪些状态,从代码可以清晰地看到(framew ...
- Linux开发环境配置
配置JDK: tar -xzvf jdk-7u71-linux-x64.tar.gz rm -f jdk-7u71-linux-x64.tar.gz 测试:java -version 配置Grad ...
- 使用bat批处理命令打包maven项目
使用批处理命令打包java项目,给我们发布war或jar包带来了很大的便利,附上代码,以作留存. ::huap-parent ::common-parent ::market-parent ::cus ...
- 随机抽样一致性算法(RANSAC)
本文翻译自维基百科,英文原文地址是:http://en.wikipedia.org/wiki/ransac,如果您英语不错,建议您直接查看原文. RANSAC是"RANdom SAmple ...
- Struts2 实现文件上传
单个文件上传 关于如何创建Struts2项目:Struts2 初体验. 一.创建jsp页面: 注意!要上传文件,表单必须添加 enctype 属性,如下: enctype="multipa ...
- Node.js服务的重启与监控
开始:Node +服务文件名 停止:直接快捷键Ctrl+C 监控:1.安装 npm install supervisor -g, 2.supervisor app.js 参考:http://blog. ...
- 轻松解决ubuntu系统引导问题
什么是ppa PPA,表示 Personal Package Archives,也就是个人软件包集. 有很多软件因为种种原因,不能进入官方的 Ubuntu 软件仓库. 为了方便 Ubuntu 用户使用 ...
- javascript 数据结构和算法读书笔记 > 第一章 javascript的编程环境和模型
1.变量的声明和初始化 必须使用关键字 var,后跟变量名,后面还可以跟一个赋值表达式. var name; var age = 5; var str = 'hello'; var flg = fal ...