身份验证 – 如何使用ASP.NET身份在Web API 2中实现双因素身份验证?

asp.Net 2020-02-01
我已经看到了关于如何在web api中创建双因素身份验证的链接 Two Factor Auth using goolgle authenticator,但我的要求却略有不同.

>我想使用双因素身份验证来发出访问令牌. (如果用户已选择启用双因素身份验证)
>我想使用ASP.NET身份本身创建OTP代码. (就像我们在MVC Web应用程序中所做的那样SignInManager.SendTwoFactorCodeAsync(“电话代码”))

我当前实现的问题是,当我调用SignInManager.SendTwoFactorCodeAsync(“电话代码”)时,我得到错误用户ID未找到.

为了调试,我尝试调用User.Identity.GetUserId();并返回正确的用户ID.

我检查了Microsoft.AspNet.Identity.Owin程序集的源代码

public virtual async Task<bool> SendTwoFactorCodeAsync(string provider)
    {
        var userId = await GetVerifiedUserIdAsync().WithCurrentCulture();
        if (userId == null)
        {
            return false;
        }

        var token = await UserManager.GenerateTwoFactorTokenAsync(userId,provider).WithCurrentCulture();
        // See IdentityConfig.cs to plug in Email/SMS services to actually send the code
        await UserManager.NotifyTwoFactorTokenAsync(userId,provider,token).WithCurrentCulture();
        return true;
    }

    public async Task<TKey> GetVerifiedUserIdAsync()
    {
        var result = await AuthenticationManager.AuthenticateAsync(DefaultAuthenticationTypes.TwoFactorCookie).WithCurrentCulture();
        if (result != null && result.Identity != null && !String.IsNullOrEmpty(result.Identity.GetUserId()))
        {
            return ConvertIdFromString(result.Identity.GetUserId());
        }
        return default(TKey);
    }

从上面的代码可以看出,SendTwoFactorCodeAsync方法在内部调用GetVerifiedUserIdAsync,它检查双因素身份验证cookie.由于这是一个web api项目,因此不存在cookie并返回0,导致找不到用户id错误.

我的问题,如何使用asp.net身份在web api中正确实现双因素身份验证?

解决方法

这就是我实现的,以便在api上工作.我假设您使用的是认的ASP.NET单用户模板.

1.ApplicationOAuthProvider

在GrantResourceOwnerCredentials方法中,您必须添加代码

var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();
ApplicationUser user = await userManager.FindAsync(context.UserName,context.Password);

var twoFactorEnabled = await userManager.GetTwoFactorEnabledAsync(user.Id);
if (twoFactorEnabled)
{
 var code = await userManager.GenerateTwoFactorTokenAsync(user.Id,"PhoneCode");
 IdentityResult notificationResult = await userManager.NotifyTwoFactorTokenAsync(user.Id,"PhoneCode",code);
 if(!notificationResult.Succeeded){
   //you can add your own validation here
   context.SetError(error,"Failed to send OTP"); 
 }
}

// commented for clarification
ClaimIdentity oAuthIdentity .....

// Commented for clarification
AuthenticationProperties properties = CreateProperties(user);
// Commented for clarification

在CreateProperties方法内部用userObject替换参数,如下所示:

public static AuthenticationProperties CreateProperties(ApplicationUser user)
{
  IDictionary<string,string> data = new Dictionary<string,string>
  {
    { "userId",user.Id },{ "requireOTP",user.TwoFactorEnabled.ToString() },}

// commented for clarification
}

以上代码检查用户是否启用了TFA,如果启用它将生成验证码并使用您选择的SMSService发送.

2.创建TwoFactorAuthorize属性

创建响应类ResponseData

public class ResponseData
{
    public int Code { get; set; }
    public string Message { get; set; }
}

添加TwoFactorAuthorizeAttribute

public override async Task OnAuthorizationAsync(HttpActionContext actionContext,System.Threading.CancellationToken cancellationToken)
    {
        #region Get userManager
        var userManager = HttpContext.Current.GetowinContext().Get<ApplicationUserManager>();
        if(userManager == null)
        {
            actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized,new ResponseData
            {
                Code = 100,Message = "Failed to authenticate user."
            });
            return;
        }
        #endregion

        var principal = actionContext.RequestContext.Principal as ClaimsPrincipal;

        #region Get current user
        var user = await userManager.FindByNameAsync(principal?.Identity?.Name);
        if(user == null)
        {
            actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized,Message = "Failed to authenticate user."
            });
            return;
        }
        #endregion

        #region Validate Two-Factor Authentication
        if (user.TwoFactorEnabled)
        {
            actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized,new ResponseData
            {
                Code = 101,Message = "User must be authenticated using Two-Factor Authentication."
            });
        }
        #endregion

        return;
    }
}

3.使用TwoFactorAuthorizeAttribute

在控制器中使用TwoFactorAuthorizeAttribute

[Authorize]
[TwoFactorAuthorize]
public IHttpActionResult DoMagic(){
}

4.验证OTP
在您的AccountController中,您必须添加api端点以验证OTP

[Authorize]
    [HttpGet]
    [Route("VerifyPhoneOTP/{code}")]
    public async Task<IHttpActionResult> VerifyPhoneOTP(string code)
    {
        try
        {
           bool verified = await UserManager.VerifyTwoFactorTokenAsync(User.Identity.GetUserId(),code);
            if (!verified)
                return BadRequest($"{code} is not a valid OTP,please verify and try again.");


            var result = await UserManager.SetTwoFactorEnabledAsync(User.Identity.GetUserId(),false);
            if (!result.Succeeded)
            {
                foreach (string error in result.Errors)
                    errors.Add(error);

                return BadRequest(errors[0]);
            }

            return Ok("OTP verified successfully.");
        }
        catch (Exception exception)
        {
            // Log error here
        }
    }

相关文章

WPF如何实现带筛选功能的DataGrid
这篇文章主要讲解了“WPF如何实现带筛选功能的DataGrid”,文...
基于WPF如何实现3D画廊动画效果
本篇内容介绍了“基于WPF如何实现3D画廊动画效果”的有关知识...
asp.net服务器控件命名规范
Some samples are below for ASP.Net web form controls:(fr...
对于未定义为 System.String 的列,唯一有效的值是(引发异常)
问题描述: 对于未定义为 System.String 的列,唯一有效的值...
如何修正CalendarExtender在updatePanel中发生错位的问题
最近用到了CalendarExtender,结果不知道为什么发生了错位,...
ASP.NET 2.0 page lifecyle页面生命周期
ASP.NET 2.0 page lifecyle ASP.NET 2.0 event sequence cha...