程序员经验分享-hwhale

如何使用 ASP.NET 身份在 Web API 2 中实现两因素身份验证?

2024-04-11

我看过这个链接使用谷歌身份验证器的两因素身份验证 http://bitoftech.net/2014/10/15/two-factor-authentication-asp-net-web-api-angularjs-google-authenticator/关于如何在 Web api 中创建两因素身份验证,但我的要求略有不同。

  1. 我想使用两因素身份验证来颁发访问令牌。 (如果用户选择启用两因素身份验证)
  2. 我想使用 ASP.NET 身份本身创建 OTP 代码。 (就像我们在 MVC Web 应用程序中所做的那样SignInManager.SendTwoFactorCodeAsync("Phone Code")

我当前实现的问题是,当我调用SignInManager.SendTwoFactorCodeAsync("Phone Code")我收到错误用户 ID 未找到。

为了调试,我尝试调用User.Identity.GetUserId();它会返回正确的用户 ID。

我检查了 Microsoft.AspNet.Identity.Owin 程序集的源代码

    public virtual async Task<bool> SendTwoFactorCodeAsync(string provider)
    {
        var userId = await GetVerifiedUserIdAsync().WithCurrentCulture();
        if (userId == null)
        {
            return false;
        }

        var token = await UserManager.GenerateTwoFactorTokenAsync(userId, provider).WithCurrentCulture();
        // See IdentityConfig.cs to plug in Email/SMS services to actually send the code
        await UserManager.NotifyTwoFactorTokenAsync(userId, provider, token).WithCurrentCulture();
        return true;
    }

    public async Task<TKey> GetVerifiedUserIdAsync()
    {
        var result = await AuthenticationManager.AuthenticateAsync(DefaultAuthenticationTypes.TwoFactorCookie).WithCurrentCulture();
        if (result != null && result.Identity != null && !String.IsNullOrEmpty(result.Identity.GetUserId()))
        {
            return ConvertIdFromString(result.Identity.GetUserId());
        }
        return default(TKey);
    }

从上面的代码可以看出,SendTwoFactorCodeAsync方法内部调用GetVerifiedUserIdAsync它检查两因素身份验证 cookie。由于这是一个Web api项目,cookie不存在并且返回0,导致用户id未找到错误。

我的问题是,如何使用 asp.net 身份在 Web api 中正确实现两因素身份验证?


这就是我为了让它在 api 上工作而实现的。我假设您使用的是默认的 ASP.NET 单用户模板。

1.ApplicationOAuthProvider

inside 授予资源所有者凭据方法你必须添加此代码

var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();
ApplicationUser user = await userManager.FindAsync(context.UserName, context.Password);

var twoFactorEnabled = await userManager.GetTwoFactorEnabledAsync(user.Id);
if (twoFactorEnabled)
{
 var code = await userManager.GenerateTwoFactorTokenAsync(user.Id, "PhoneCode");
 IdentityResult notificationResult = await userManager.NotifyTwoFactorTokenAsync(user.Id, "PhoneCode", code);
 if(!notificationResult.Succeeded){
   //you can add your own validation here
   context.SetError(error, "Failed to send OTP"); 
 }
}

// commented for clarification
ClaimIdentity oAuthIdentity .....

// Commented for clarification
AuthenticationProperties properties = CreateProperties(user);
// Commented for clarification

Inside 创建属性方法将参数替换为用户对象,如下所示:

public static AuthenticationProperties CreateProperties(ApplicationUser user)
{
  IDictionary<string, string> data = new Dictionary<string, string>
  {
    { "userId", user.Id },
    { "requireOTP" , user.TwoFactorEnabled.ToString() },
  }

// commented for clarification
}

上面的代码检查用户是否启用了 TFA,如果启用,它将生成验证码并使用您选择的 SMSService 发送。

2. 创建 TwoFactorAuthorize 属性

创建响应类响应数据

public class ResponseData
{
    public int Code { get; set; }
    public string Message { get; set; }
}

add 两因素授权属性

public override async Task OnAuthorizationAsync(HttpActionContext actionContext, System.Threading.CancellationToken cancellationToken)
    {
        #region Get userManager
        var userManager = HttpContext.Current.GetOwinContext().Get<ApplicationUserManager>();
        if(userManager == null)
        {
            actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized, new ResponseData
            {
                Code = 100,
                Message = "Failed to authenticate user."
            });
            return;
        }
        #endregion

        var principal = actionContext.RequestContext.Principal as ClaimsPrincipal;

        #region Get current user
        var user = await userManager.FindByNameAsync(principal?.Identity?.Name);
        if(user == null)
        {
            actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized, new ResponseData
            {
                Code = 100,
                Message = "Failed to authenticate user."
            });
            return;
        }
        #endregion

        #region Validate Two-Factor Authentication
        if (user.TwoFactorEnabled)
        {
            actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized, new ResponseData
            {
                Code = 101,
                Message = "User must be authenticated using Two-Factor Authentication."
            });
        }
        #endregion

        return;
    }
}

3.使用TwoFactorAuthorizeAttribute

在控制器中使用 TwoFactorAuthorizeAttribute

[Authorize]
[TwoFactorAuthorize]
public IHttpActionResult DoMagic(){
}

4. 验证一次性密码在您的 AccountController 中,您必须添加 api 端点来验证 OTP

    [Authorize]
    [HttpGet]
    [Route("VerifyPhoneOTP/{code}")]
    public async Task<IHttpActionResult> VerifyPhoneOTP(string code)
    {
        try
        {
           bool verified = await UserManager.VerifyTwoFactorTokenAsync(User.Identity.GetUserId(), "PhoneCode", code);
            if (!verified)
                return BadRequest($"{code} is not a valid OTP, please verify and try again.");


            var result = await UserManager.SetTwoFactorEnabledAsync(User.Identity.GetUserId(), false);
            if (!result.Succeeded)
            {
                foreach (string error in result.Errors)
                    errors.Add(error);

                return BadRequest(errors[0]);
            }

            return Ok("OTP verified successfully.");
        }
        catch (Exception exception)
        {
            // Log error here
        }
    }
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)

authentication

aspnetwebapi

aspnetidentity

onetimepassword

如何使用 ASP.NET 身份在 Web API 2 中实现两因素身份验证? 的相关文章

随机推荐

热门标签