Dotnet core security oauth and bearer

2018-06-07 06:54:24

I'm trying to secure a small dot net core mvc and api application and I've gotten turned around and need a little direction.

I've got to use ADFS 3.0 Server2012 R2 as the source of login/password.

I have to use versioning in the API. (Microsft.aspnetcore.mvc.versioning)

I don't want to send a login/password to API, just a bearer token.

I configured cookieauthentication and OAuth against the ADFS endpoint and it works fine for the mvc ui, but I don't know how/what to do to get the API to work with httpclient from the mvc ui controller to the API.

Long ago I used IdentityServer 1 or maybe 2 and used bearer tokens but I couldn't figure out how to create a token in the OnCreatingTicket in the OAuth event and not sure where to store it. I tried a claim, but it didn't work so it might be malformed or simply wrong.

I am unsure if my issue warrants using something like IdentityServer since the site is small and i don't need a user store, everything is in LDAP / ADFS.

Can I register three middleware peices, build a token from the oauth authentication, store it somewhere like a claim and pass it through the httpclient where its verified?

 app.UseCookieAuthentication(option);
 app.UseJwtBearerAuthentication(bearer);  //api
 app.UseOAuthAuthentication(adfsOption);  //mvc ui

inside the adfsOption build a token...

Everything I try gets
Message "A security error occurred"

The answer to my question is yes, its very straight forward. I'll post a gist later. My primary problem which was high jacking me was the httpclient didn't like my dev cert for ssl.

I'm still unsure if putting the token in a claim is ok. The cookie and oauth invalidate it every 15 minutes and refresh it, but randomly getting a refresh token would be very difficult.

adding this very bad code allowed it to check my token and it worked as expected.

 handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; };

链接地址: http://www.djcxy.com/p/22348.html

上一篇: ASP.NET Core 2.0身份验证中间件

下一篇: Dotnet核心安全oauth和承载