MVC 5 Owin authorization on the example of Vkontakte
Not so long ago, mvc 5 was released and one of the key changes is the authorization system. When creating an “empty” mvc 5 project, it is possible to connect authorization for Facebook, Google, Twitter and Microsoft accounts. I immediately found it helpful to understand how this all works and the result was the “middleware” module for the Vkontakte network. You can put it through nuget packages by searching “Duke.Owin.VkontakteMiddleware” and view the source: github.com/DukeNuken/Duke.Owin.VkontakteMiddleware
There are many articles on the Internet about owin authorization and the katana project with which you can read and even download the source code .
And now I propose to discuss in general terms how it all works. A bit of history. Once upon a time, about 6 years ago, one customer asked me to make beautiful links like "/ account / register" on the site and since the project was on asp.net, the only solution was to install the UrlRewriting module for IIS and everything worked well on the site, but In the studio, such links clearly did not open, which caused some inconvenience. Since Microsoft released mvc, the UrlRewriting logic is implemented on the project side (RouteConfig), the same is done on the project side and script optimization (BundleConfig). This allows the project to work correctly all server dependencies. By the same principle authorization was added to mvc 5.
The Startup class is in the project / App_Start and there is only one ConfigureAuth function (IAppBuilder app) in it. It twitches at the start of the project and loads the so-called middleware modules. What is it and how do they work? In essence, these are classes that inherit from AuthenticationMiddleware. In this class there is a constructor and a method CreateHandler (). This method is called each time a page is accessed, and all it has to do is create an AuthenticationHandler which, in turn, has 2 methods. Consider them in more detail.
')
1) protected override Task ApplyResponseChallengeAsync () - this method is called after testing the logic in the controls and before sending the response to the user. He takes 3 important steps. Checks the http code of the response - whether 401 (not autorized) is equal, if yes, then a special helper checks if this module should do authorization, if so, redirect to the authorization site and as a result, the user sees this form:
That is, the first method actually works only after the user clicks on the Vknotakte button on the login page. An example of the page can be seen here , in all other cases it simply transfers control further.
After confirmation, the user will be transferred back to your site on the module return page. Approximately such '/ signin-vkontakte? Code = 8e40fbe05c7ec232c0' (this return page is set in the module parameters) and at this moment the second method is working
2) public override async Task <bool> InvokeAsync () - this method is twitching on each page before working on the controls and checking its “basic” link with the request. If they match, then authorization takes place. On the example of a module for VKontakte, this method essentially waits for the '/ signin-vkontakte' link from the first method.
Inside the InvokeAsync method, the “ oauth.vk.com/access_token ” page twitches and gets the token, then the Vkontakte API is accessed and information about the user is received - the name and id. Based on this data, an AuthenticationTicket is created. In turn, the AuthenticationTicket is used to create the ReturnEndpointContext object and save the information through the Microsoft.Owin.Security.AuthenticationManager. After that, the user is transferred to / Account / ExternalLoginCallback and can complete the registration by specifying what name he wants to register on the site.
1) The behavior of the “middleware” module is very similar to the usual http module, which gets control at the beginning and end of the request.
2) It would seem that there are two types of registration - registration on the site and registration through the owin modules, but eventually when after logging in on Vkontakte the user will be returned to the site page "/ Account / ExternalLoginCallback" (on the page there will be a message that he has logged in successfully, a text field for specifying the name and the Register button), then only when you click on Register, a normal account will be created and it will indicate that it belongs to the “Vkontakte” provider and there will be a userid as a parameter. In the database, it looks like this
That is, owin authorization on the site itself does nothing, but only provides information for regular registration.
Thanks for attention.
Live example here freemusiclib.com/Account/Login
There are many articles on the Internet about owin authorization and the katana project with which you can read and even download the source code .
And now I propose to discuss in general terms how it all works. A bit of history. Once upon a time, about 6 years ago, one customer asked me to make beautiful links like "/ account / register" on the site and since the project was on asp.net, the only solution was to install the UrlRewriting module for IIS and everything worked well on the site, but In the studio, such links clearly did not open, which caused some inconvenience. Since Microsoft released mvc, the UrlRewriting logic is implemented on the project side (RouteConfig), the same is done on the project side and script optimization (BundleConfig). This allows the project to work correctly all server dependencies. By the same principle authorization was added to mvc 5.
The Startup class is in the project / App_Start and there is only one ConfigureAuth function (IAppBuilder app) in it. It twitches at the start of the project and loads the so-called middleware modules. What is it and how do they work? In essence, these are classes that inherit from AuthenticationMiddleware. In this class there is a constructor and a method CreateHandler (). This method is called each time a page is accessed, and all it has to do is create an AuthenticationHandler which, in turn, has 2 methods. Consider them in more detail.
')
1) protected override Task ApplyResponseChallengeAsync () - this method is called after testing the logic in the controls and before sending the response to the user. He takes 3 important steps. Checks the http code of the response - whether 401 (not autorized) is equal, if yes, then a special helper checks if this module should do authorization, if so, redirect to the authorization site and as a result, the user sees this form:
That is, the first method actually works only after the user clicks on the Vknotakte button on the login page. An example of the page can be seen here , in all other cases it simply transfers control further.
After confirmation, the user will be transferred back to your site on the module return page. Approximately such '/ signin-vkontakte? Code = 8e40fbe05c7ec232c0' (this return page is set in the module parameters) and at this moment the second method is working
2) public override async Task <bool> InvokeAsync () - this method is twitching on each page before working on the controls and checking its “basic” link with the request. If they match, then authorization takes place. On the example of a module for VKontakte, this method essentially waits for the '/ signin-vkontakte' link from the first method.
Inside the InvokeAsync method, the “ oauth.vk.com/access_token ” page twitches and gets the token, then the Vkontakte API is accessed and information about the user is received - the name and id. Based on this data, an AuthenticationTicket is created. In turn, the AuthenticationTicket is used to create the ReturnEndpointContext object and save the information through the Microsoft.Owin.Security.AuthenticationManager. After that, the user is transferred to / Account / ExternalLoginCallback and can complete the registration by specifying what name he wants to register on the site.
I would like to note a few things:
1) The behavior of the “middleware” module is very similar to the usual http module, which gets control at the beginning and end of the request.
2) It would seem that there are two types of registration - registration on the site and registration through the owin modules, but eventually when after logging in on Vkontakte the user will be returned to the site page "/ Account / ExternalLoginCallback" (on the page there will be a message that he has logged in successfully, a text field for specifying the name and the Register button), then only when you click on Register, a normal account will be created and it will indicate that it belongs to the “Vkontakte” provider and there will be a userid as a parameter. In the database, it looks like this
That is, owin authorization on the site itself does nothing, but only provides information for regular registration.
Thanks for attention.
Live example here freemusiclib.com/Account/Login
Source: https://habr.com/ru/post/202344/
All Articles