前段時(shí)間隨意抽離了一部分代碼作為OAuth2的示例代碼,若干處會(huì)造成困擾,現(xiàn)說(shuō)明如下:
1 public class OAuthController : Controller 2 { 3 PRivate static string _authorizeUrl = ConfigurationManager.AppSettings["AuthorizeUrl"]; 4 private static string[] _queryParameters = new string[] { "client_id", "redirect_uri", "state", "response_type", "scope" }; 5 private readonly AuthorizationServer _authorizationServer = new AuthorizationServer(new OAuth2AuthorizationServer()); 6 7 [AcceptVerbs(HttpVerbs.Get)] 8 public ActionResult Authorize(string userkey) 9 {10 var pendingRequest = this._authorizationServer.ReadAuthorizationRequest(Request);11 if (pendingRequest == null)12 {13 throw new HttpException((int)HttpStatusCode.BadRequest, "Missing authorization request.");14 }15 16 if (string.IsNullOrEmpty(userkey))17 {18 string url = _authorizeUrl, callback = Request.Url.GetLeftPart(Uripartial.Path);19 StringBuilder querystring = new StringBuilder(string.Format("client_id={0}&", HttpUtility.UrlEncode(this.Request.QueryString["client_id"]))), callbackQuery = new StringBuilder();20 foreach (string key in this.Request.QueryString.Keys)21 {22 if (!_queryParameters.Contains(key))23 querystring.Append(string.Format("{0}={1}&", key, HttpUtility.UrlEncode(this.Request.QueryString[key])));24 else25 callbackQuery.Append(string.Format("{0}={1}&", key, HttpUtility.UrlEncode(this.Request.QueryString[key])));26 }27 if (callbackQuery.Length > 0)28 {29 callback += ("?" + callbackQuery.ToString().TrimEnd('&'));30 querystring.Append(string.Format("callback={0}&", HttpUtility.UrlEncode(callback)));31 }32 if (querystring.Length > 0)33 {34 url += ("?" + querystring.ToString().TrimEnd('&'));35 }36 return Redirect(url);37 }38 else39 {40 using (var db = new OAuthDbContext())41 {42 var client = db.Clients.FirstOrDefault(o => o.ClientIdentifier == pendingRequest.ClientIdentifier);43 if (client == null)44 throw new AuthorizeException("40143", "不受信任的商戶");45 else46 {47 var user = DESCrypt.Decrypt(userkey, client.ClientSecret);48 var approval = this._authorizationServer.PrepareApproveAuthorizationRequest(pendingRequest, user);49 var response = this._authorizationServer.Channel.PrepareResponse(approval);50 return response.AsActionResult();51 }52 }53 }54 }55 56 public ActionResult Index()57 {58 ViewBag.Body = "Welcome To OAuth2.0";59 return View();60 }61 }
這是授權(quán)服務(wù)端的主要代碼。AuthorizeUrl和userkey分別表示什么意思?
這里涉及到我所在公司的具體情況,簡(jiǎn)單地說(shuō),用戶授權(quán)的具體邏輯是由另外單獨(dú)的站點(diǎn)(AuthorizeUrl表示,為方便描述,稱(chēng)為A站點(diǎn))引導(dǎo),所以這里的代碼主要起到一個(gè)跳轉(zhuǎn)的作用。我們看DotNetOpenAuth的官方Demo,會(huì)發(fā)現(xiàn)授權(quán)服務(wù)端有登錄頁(yè)面、授權(quán)頁(yè)面等等,其實(shí)本質(zhì)是一樣的,只是拆分成兩個(gè)站點(diǎn)。除了OAuth參數(shù),此處可能會(huì)傳遞其它參數(shù),所以使用_queryParameters來(lái)區(qū)分,并分別構(gòu)建兩部分查詢字符串,OAuth參數(shù)會(huì)附加到callback地址參數(shù)上,用戶授權(quán)后會(huì)從A站點(diǎn)跳回該地址(此處就是該action所表示的地址),然后返回瀏覽器授權(quán)碼。
關(guān)于userkey,大家看到有個(gè)解密的步驟(第47行),so,這肯定是考慮到安全問(wèn)題。公司的業(yè)務(wù)邏輯大多采用userid標(biāo)示用戶,為自增長(zhǎng)int類(lèi)型,用戶通過(guò)A站點(diǎn)授權(quán)后通過(guò)瀏覽器callback時(shí),userid可以在地址欄中被捕捉到,假如復(fù)制該地址并隨意更改userid值,就很有可能在對(duì)應(yīng)用戶未授權(quán)的情況下獲得其訪問(wèn)權(quán)限。所以我們不允許直接傳遞userid,而是經(jīng)過(guò)一層對(duì)稱(chēng)加密,這就是userkey的由來(lái)。如果授權(quán)邏輯并未拆分成獨(dú)立站點(diǎn),那么就不存在這種情況了。
后續(xù)我可能會(huì)再補(bǔ)充若干內(nèi)容,由于工作較忙,只對(duì)有朋友提出疑問(wèn)的地方做一說(shuō)明;若有其它問(wèn)題,請(qǐng)告知,我會(huì)不定期更新。
新聞熱點(diǎn)
疑難解答
圖片精選
網(wǎng)友關(guān)注
