我们正在使用带有OWIN的Bearer-Token构建Server for Web Api和Mobile Api . 验证的要求在这两者之间是不同的 .
这是Owin配置:
public void Configuration(IAppBuilder app)
{
app.MapSignalR();
ConfigureOAuth(app);
}
public void ConfigureOAuth(IAppBuilder app)
{
OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
{
TokenEndpointPath = new PathString("/Api/Token"),
Provider = new ApplicationOAuthProvider(),
// RefreshTokenProvider = new ApplicationRefreshTokenProvider(),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(8),
AllowInsecureHttp = true,
};
// Enable the application to use bearer tokens to authenticate users
app.UseOAuthBearerTokens(OAuthServerOptions);
OAuthAuthorizationServerOptions mobOAuthServerOptions = new OAuthAuthorizationServerOptions()
{
TokenEndpointPath = new PathString("/Mobile/Token"),
Provider = new MobileOAuthProvider(),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(20),
AllowInsecureHttp = true,
};
// Enable the application to use bearer tokens to authenticate users
app.UseOAuthBearerTokens(mobOAuthServerOptions);
}
这是路由:
public class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "Api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
config.Routes.MapHttpRoute(
name: "MobileApi",
routeTemplate: "Mobile/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
// Ignore any authentication that happens before the request reaches the Web Api pipeline, either by IIS or OWIN middleware.
// That way to restrict Web Api to authenticate only using bearer tokens.
config.SuppressDefaultHostAuthentication();
// enable authentication using bearer tokens.
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
// configuration.Filters.Add(new TokenValidationAttribute());
}
}
API控制器:
[Authorize]
public class EmployeeLeaveBalanceController : ApiBaseController
{
public EmployeeLeaveBalanceController()
: base()
{ }
[System.Web.Http.HttpGet]
public ApiResult GetLeaveBalance([FromUri] string payrollName, [FromUri] string employeeNumber)
{
try
{
SetContext(null);
ApiResult result = ValidateParameter(payrollName);
if (result != null)
return result;
EmployeeLeaveBalanceModel model = new EmployeeLeaveBalanceModel();
return model.GetLeaveBalance(payrollName, employeeNumber);
}
catch //(Exception)
{
return new ApiResult().SetMessage(ApiResultMessage.UnexceptedError);
}
}
private ApiResult ValidateParameter(string payrollName)
{
bool isValid = UploadHelper.GetPayroll(payrollName) != null;
return (!isValid)
? new ApiResult().SetMessage(ApiResultMessage.InvalidParameter)
: null;
}
}
对于Mobile Api
[Authorize]
public class UserController : MobileBaseController
{
#region Get
[System.Web.Http.HttpGet]
public UserMdo Get()
{
try
{
SetContext();
UserModel model = new UserModel();
return model.GetUser(ApplicationContext.UserId);
}
catch(Exception)
{
throw;
// return new MobileResult().SetError(1000, ex.Message);
}
}
#endregion
}
但是,访问Mobile Controller时,我始终会获得未经授权的访问权限 . Api Controller也停止了工作 . 我错过了什么吗?控制器如何知道承载令牌属于Web Api或Mobile Api?我认为这是问题所在 .
此代码用于获取令牌并将其用于身份验证