OWIN令牌认证400从浏览器

Question

OPTIONS我使用令牌认证基于本文的小项目请求无效：http://bitoftech.net/2014/06/09/angularjs-token-authentication-using-asp-net-web-api-2-owin-asp-net-identity/

一切似乎除了一两件事，做工精细：OWIN基于令牌的认证不允许OPTIONS请求on/token端点。 Web API返回400错误请求，并且整个浏览器应用程序停止发送POST请求以获取令牌。

我已经在示例项目中启用了应用程序中的所有CORS。下面一些代码，可能是相关的：

public class Startup 
    { 
     public static OAuthBearerAuthenticationOptions OAuthBearerOptions { get; private set; } 

     public void Configuration(IAppBuilder app) 
     { 
      AreaRegistration.RegisterAllAreas(); 
      UnityConfig.RegisterComponents(); 
      GlobalConfiguration.Configure(WebApiConfig.Register); 
      FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters); 
      RouteConfig.RegisterRoutes(RouteTable.Routes); 
      BundleConfig.RegisterBundles(BundleTable.Bundles); 

      HttpConfiguration config = new HttpConfiguration(); 

      app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll); 

      ConfigureOAuth(app); 

      WebApiConfig.Register(config); 

      app.UseWebApi(config); 

      Database.SetInitializer(new ApplicationContext.Initializer()); 
     } 

     public void ConfigureOAuth(IAppBuilder app) 
     { 
      //use a cookie to temporarily store information about a user logging in with a third party login provider 
      app.UseExternalSignInCookie(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ExternalCookie); 
      OAuthBearerOptions = new OAuthBearerAuthenticationOptions(); 

      OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions() 
      { 
       AllowInsecureHttp = true, 
       TokenEndpointPath = new PathString("/token"), 
       AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(60), 
       Provider = new SimpleAuthorizationServerProvider(), 
       RefreshTokenProvider = new SimpleRefreshTokenProvider() 
      }; 

      // Token Generation 
      app.UseOAuthAuthorizationServer(OAuthServerOptions); 
      app.UseOAuthBearerAuthentication(OAuthBearerOptions); 
     } 
    } 

下面是我的javascript登录功能（我为此使用angularjs）

var _login = function (loginData) { 

     var data = "grant_type=password&username=" + loginData.userName + "&password=" + loginData.password; 

     data = data + "&client_id=" + ngAuthSettings.clientId; 

     var deferred = $q.defer(); 

     $http.post(serviceBase + 'token', data, { headers: { 'Content-Type': 'application/x-www-form-urlencoded' } }).success(function (response) { 

     localStorageService.set('authorizationData', { token: response.access_token, userName: loginData.userName, refreshToken: response.refresh_token, useRefreshTokens: true }); 
     _authentication.isAuth = true; 
     _authentication.userName = loginData.userName; 
     _authentication.useRefreshTokens = loginData.useRefreshTokens; 

     deferred.resolve(response); 

     }).error(function (err, status) { 
      _logOut(); 
      deferred.reject(err); 
     }); 

     return deferred.promise; 
    }; 

    var _logOut = function() { 

     localStorageService.remove('authorizationData'); 

     _authentication.isAuth = false; 
     _authentication.userName = ""; 
     _authentication.useRefreshTokens = false; 

    }; 

Answer 1

解决它。问题不是通过OPTIONS请求头发送访问控制请求方法

Answer 2

我今天在这个问题上已经失去了一些时间。最后我想我已经找到了解决方案。您OAuthAuthorizationServerProvider内

覆盖方法：

public override Task MatchEndpoint(OAuthMatchEndpointContext context) 
{ 
    if (context.IsTokenEndpoint && context.Request.Method == "OPTIONS") 
    { 
     context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" }); 
     context.OwinContext.Response.Headers.Add("Access-Control-Allow-Headers", new[] { "authorization" }); 
     context.RequestCompleted(); 
     return Task.FromResult(0); 
    } 

    return base.MatchEndpoint(context); 
} 

这似乎做三件所需的东西：

• 力auth服务器响应选项200（OK）HTTP状态请求，
• 通过设置允许请求来自任何地方Access-Control-Allow-Origin
• 允许Authorization头设置在subseq通过设置的向上请求Access-Control-Allow-Headers

经过这些步骤后，角度最终在使用OPTIONS方法请求令牌端点时表现正确。返回OK状态，它重复使用POST方法获取完整令牌数据的请求。

Answer 3

这应该做的伎俩：

app.UseCors(CorsOptions.AllowAll);