{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 仙女界的扛把子 的问题《Can't setup OWIN + OneLogin + Bearer》','https://www.manongdao.com/q-744489.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm trying to secure my WebAPI project with authorization tokens. I don't wanna use cookies, I want to only use Authorization header like this: Authorization: Bearer xxx_access_or_id_token_xxx. I'm using OneLogin OIDC as external provider. Here's my Startup.cs
using Microsoft.Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.DataHandler.Encoder;
using Microsoft.Owin.Security.Jwt;
using Owin;
using System.Web.Http;
public void Configuration(IAppBuilder app)
{
var issuer = "https://openid-connect.onelogin.com/oidc/";
var audience = ConfigurationManager.AppSettings["OneLoginClientId"];
var secret = TextEncodings.Base64.Encode((TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["OneLoginClientSecret"])));
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions {
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { audience },
IssuerSecurityTokenProviders = new[] { new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret) }
});
HttpConfiguration httpConfig = new HttpConfiguration();
WebApiConfig.Register(httpConfig);
app.UseWebApi(httpConfig);
}
Also I have controllers:
public class ValueController: ApiController
{
[HttpGet]
[AllowAnonymous]
public string NotSecure()
{
return "Not secure";
}
[HttpGet]
[Authorize]
public strnig Secure()
{
return "Secure";
}
}
Ok, now let's have OneLogin part.
After Authentication Flow, I got 5 fields: access_token, expires_in, id_token which is JWT, refresh_token and token_type.
Using jwt.io I can parse my id_token and I have something like this:
Header:
{
"alg": "RS256",
"typ": "JWT",
"kid": "xxx"
}
Payload:
{
"sub": "33827172",
"email": "john.smith@company.com",
"name": "John Smith",
"iat": 1515083928,
"exp": 1515091128,
"aud": "onelogin_client_id",
"iss": "https://openid-connect.onelogin.com/oidc"
}
I'm trying to send to my api request with Authorization token. I've tried to send both: access_token and id_token, but every time I call my secure actions, I've got 401.
How do i fix this?
Maybe here's something I missed?
Nuget:
Microsoft.Owin -v 3.1.0
Microsoft.Owin.* -v 3.1.0
System.IdentityModel.Tokens.Jwt -v 4.0.1
Ok, so the problem was in Signature. Here's how I made it work:
And here's
Startup.cs:Also I added this to
WebApiConfig, but I'm not sure that really helps.Nuget:
In my test
System.IdentityModel.Tokens.Jwtwith version bigger than 4.0.4 was not working, so leave it like this.Also I'd like to thanks great manual from Auth0 and their Github.