我们正在使用带有OWIN的Bearer-Token构建Server for Web Api和Mobile Api . 验证的要求在这两者之间是不同的 .

这是Owin配置:

public void Configuration(IAppBuilder app)
    {
        app.MapSignalR();
        ConfigureOAuth(app);
    }

    public void ConfigureOAuth(IAppBuilder app)
    {
        OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
        {
            TokenEndpointPath = new PathString("/Api/Token"),
            Provider = new ApplicationOAuthProvider(),
            // RefreshTokenProvider = new ApplicationRefreshTokenProvider(),
            AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(8),
            AllowInsecureHttp = true,
        };

        // Enable the application to use bearer tokens to authenticate users
        app.UseOAuthBearerTokens(OAuthServerOptions);

        OAuthAuthorizationServerOptions mobOAuthServerOptions = new OAuthAuthorizationServerOptions()
        {
            TokenEndpointPath = new PathString("/Mobile/Token"),
            Provider = new MobileOAuthProvider(),
            AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(20),
            AllowInsecureHttp = true,
        };

        // Enable the application to use bearer tokens to authenticate users
        app.UseOAuthBearerTokens(mobOAuthServerOptions);
    }

这是路由:

public class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {
        config.Routes.MapHttpRoute(
            name: "DefaultApi",
            routeTemplate: "Api/{controller}/{id}",
            defaults: new { id = RouteParameter.Optional }
        );

        config.Routes.MapHttpRoute(
            name: "MobileApi",
            routeTemplate: "Mobile/{controller}/{id}",
            defaults: new { id = RouteParameter.Optional }
        );

        // Ignore any authentication that happens before the request reaches the Web Api pipeline, either by IIS or OWIN middleware.
        // That way to restrict Web Api to authenticate only using bearer tokens.
        config.SuppressDefaultHostAuthentication();

        // enable authentication using bearer tokens.
        config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));

        // configuration.Filters.Add(new TokenValidationAttribute());
    }
}

API控制器:

[Authorize]
public class EmployeeLeaveBalanceController : ApiBaseController
{
    public EmployeeLeaveBalanceController()
        : base()
    { }

    [System.Web.Http.HttpGet]
    public ApiResult GetLeaveBalance([FromUri] string payrollName, [FromUri] string employeeNumber)
    {
        try
        {
            SetContext(null);

            ApiResult result = ValidateParameter(payrollName);
            if (result != null)
                return result;

            EmployeeLeaveBalanceModel model = new EmployeeLeaveBalanceModel();
            return model.GetLeaveBalance(payrollName, employeeNumber);
        }
        catch //(Exception)
        {
            return new ApiResult().SetMessage(ApiResultMessage.UnexceptedError);
        }
    }

    private ApiResult ValidateParameter(string payrollName)
    {
        bool isValid = UploadHelper.GetPayroll(payrollName) != null;

        return (!isValid)
            ? new ApiResult().SetMessage(ApiResultMessage.InvalidParameter)
            : null;
    }
}

对于Mobile Api

[Authorize]
public class UserController : MobileBaseController
{
    #region Get
    [System.Web.Http.HttpGet]
    public UserMdo Get()
    {
        try
        {
            SetContext();

            UserModel model = new UserModel();
            return model.GetUser(ApplicationContext.UserId);
        }
        catch(Exception)
        {
            throw;
            // return new MobileResult().SetError(1000, ex.Message);
        }
    }

    #endregion
}

但是,访问Mobile Controller时,我始终会获得未经授权的访问权限 . Api Controller也停止了工作 . 我错过了什么吗?控制器如何知道承载令牌属于Web Api或Mobile Api?我认为这是问题所在 .

此代码用于获取令牌并将其用于身份验证

asp.net authorization owin bearer-token