Short Version:
I need to pass and verify the OWIN bearing token as a query parameter rather than in the request header.
How do I then get the method to authorized based on that token string?
Background:
I want to call a webapi method to download a file as a stream (and never want the user to download it from a known file location).
I can't get this to work if I also need to set a custom Request header i.e. the bearer token.
I should be able to pass the token in the query string - but don't know how to get that token to then authenticate the user.
Do I need to filter? Do I need a special claim etc?
Does the webapi method need to include "access_token" as one of the function parameters?
I wrote about how that works here:
http://leastprivilege.com/2013/10/31/retrieving-bearer-tokens-from-alternative-locations-in-katanaowin/
For completeness, here's another neat solution.
Extract:
app.Use(async (context, next) =>
{
if (context.Request.QueryString.HasValue)
{
if (string.IsNullOrWhiteSpace(context.Request.Headers.Get("Authorization")))
{
var queryString = HttpUtility.ParseQueryString(context.Request.QueryString.Value);
string token = queryString.Get("access_token");
if (!string.IsNullOrWhiteSpace(token))
{
context.Request.Headers.Add("Authorization", new[] { string.Format("Bearer {0}", token) });
}
}
}
await next.Invoke();
});
or do it like this
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
Authority = IdentityConfig.Authority,
RequiredScopes = new[] { "api" },
TokenProvider = new OAuthBearerAuthenticationProvider
{
OnRequestToken = ctx =>
{
if (String.IsNullOrWhiteSpace(ctx.Token) && ctx.Request.QueryString.HasValue)
{
NameValueCollection parsedQuery = HttpUtility.ParseQueryString(ctx.Request.QueryString.Value);
ctx.Token = parsedQuery["access_token"];
}
return Task.FromResult(0);
}
}
});
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 乱世女痞 的文章《Passing and verifying the OWIN Bearer token in Que》','https://www.manongdao.com/article-327049.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}