OAuth2学习及DotNetOpenAuth部分源码研究

1、.：.；在上篇文章中我研讨了OpenId及Dot HYPERLINK /tag/net o Net t _blank NetOpenAuth的相关运用,这一篇继续研讨OAuth2. 一.什么是OAuth2 OAuth是一种开放认证协议,允许 HYPERLINK /tag/%E7%94%A8%E6%88%B7 o 用户 t _blank 用户让第三方运用访问该用户在某一 HYPERLINK /tag/%E7%BD%91%E7%AB%99 o 网站 t _blank 网站上存储的私密的 HYPERLINK /tag/%E8%B5%84%E6%BA%90 o 资源 t _blank 资源如照片， H

2、YPERLINK /tag/%E8%A7%86%E9%A2%91 o 视频 t _blank 视频，联络人列表，而无需将用户名和密码提供应第三方运用.数字2表示如今运用第2代协议. 二.OAuth2中的角色 OAuth2有四种角色 resource owner资源一切者：比如twitter用户，他在twitter的 HYPERLINK /tag/%E6%95%B0%E6%8D%AE o 数据 t _blank 数据就是资源，他本人就是这些资源的一切者。 resource server资源 HYPERLINK /tag/%E6%9C%8D%E5%8A%A1%E5%99%A8 o 效力器 t _b

3、lank 效力器：保管资源的效力器，他人要访问受限制的资源就要出示 Access Token访问令牌。 client HYPERLINK /tag/%E5%AE%A2%E6%88%B7%E7%AB%AF o 客户端 t _blank 客户端：一个经过授权后，可以代表资源一切者访问资源效力器上受限制资源的一方。比如 HYPERLINK /tag/%E5%BC%80%E5%8F%91%E8%80%85 o 开发者 t _blank 开发者开发的运用。 authorization server授权效力器：对 资源一切者进展认证，认证经过后，向 客户端发放 Access Token访问令牌。 三.认证

4、过程 用户访问客户端的网站，想操作本人存放在资源效力提供方的资源。 客户端将用户引导至授权效力提供方的授权页面恳求用户授权,在这个过程中将客户端的回调衔接发送给授权效力提供方。 用户在授权效力提供方的网页上输入用户名和密码，然后授权该客户端访问所恳求的资源。 授权胜利后,授权效力提供方对客户端授予一个授权码,网站跳回至客户端。 客户端获得授权码后,再次从授权效力提供方恳求获取访问令牌 。 授权效力提供方根据授权码授予客户端访问令牌。 客户端运用获取的访问令牌访问存放在资源效力提供方上的受维护的资源。 四.获取访问令牌方式 从上面可以看到,令牌是串起整个认证流程的中心.OAuth2有四种获取令牌

5、的方式 Authorization Code授权码方式：这种是引荐运用的，也是最平安的. Implicit Grant隐式授权：相比授权码授权，隐式授权少了第一步的取Authorization Code的过程，而且不会前往 refresh_token。主要用于无效力器端的运用，比如 HYPERLINK /tag/%E6%B5%8F%E8%A7%88%E5%99%A8 o 阅读器 t _blank 阅读器插件。 Resource Owner Password Credentials资源一切者密码证书授权：这种验证主要用于资源一切者对Client有极高的信任度的情况，比如操作 HYPERLINK

6、/tag/%E7%B3%BB%E7%BB%9F o 系统 t _blank 系统或高权限程序。只需在不能运用其它授权方式的情况下才运用这种方式。 Client Credentials客户端证书授权：这种情况下 Client运用本人的 client证书如 client_id及client_secret组成的 basic HYPERLINK /tag/%E9%AA%8C%E8%AF%81%E7%A0%81 o 验证码 t _blank 验证码来获取 access token，只能用于信任的client。 本文主要讲解第一种获取方式. 有能有些人有这样的疑问,为什么授权胜利后不直接前往访问令牌,那么

7、是获取授权码,然后运用授权码去换访问令牌.这个问题的答案在官方的文档里,缘由主要是保证数据平安性.当用户授权胜利,阅读器从授权效力器前往客户端时,数据是经过QueryString传送的.假设直接前往访问令牌,那么直接在地址栏可见,相关的日志系统也会记录,这会提高令牌被破解的风险.前往授权码,然后客户端经过直接通讯运用授权码换取访问令牌,整个过程对用户是不可见的,这样大大提高了平安性. 五.DotNetOpenAuth在OAuth2中的运用 官方Sample内包含有OAuth的完好例如,其授权效力器运用Mvc编写,客户端与资源效力器运用WebForm编写,数据层运用了EF.为了更加贴进实践运用,

8、减少无关杂音,本人模拟其重写了一个Sample,本文的讲解将围绕自行编写的Sample展开.Sample例如可于文后下载. 1.客户端 客户端 HYPERLINK /tag/%E7%BC%96%E7%A8%8B o 编程 t _blank 编程主要围绕三个类展开 AuthorizationServer HYPERLINK /tag/Description o Description t _blank Description,顾名思义,用于对效力端的描画.如下所示private static AuthorizationServerDescription AuthServerDescription

9、; private static readonly WebServerClient Client; static OAuth2Client() AuthServerDescription = new AuthorizationServerDescription(); AuthServerDescription.TokenEndpoint = new Uri(localhost:8301/OAuth/Token); AuthServerDescription.AuthorizationEndpoint = new Uri(localhost:8301/OAuth/Authorize); Clie

10、nt = new WebServerClient(AuthServerDescription, sampleconsumer, samplesecret); 可以看到,主要设置其两个地址:令牌获取地址与授权地址.然后将其作为参数来构建WebServerClient类. WebServerClient类,是OAuth2的客户端代理类,与授权效力器和资源效力器交互的方法都定义在上面.在实例化时需求传入AuthServerDescr HYPERLINK /tag/IP o ip t _blank iption对象,客户端名与客户端密码.这对称号与密码应该是事先向授权效力器恳求的,用于标识每一个运用数

11、据的客户端.各个客户端拥有各自的称号与密码. 生成客户端代理后,第一件事就是应该访问授权效力器获取授权码.这主要由WebServerClient类的RequestUserAuthorization方法完成.public void RequestUserAuthorization(IEnumerable scope = null, Uri returnTo = null); 在恳求授权码时,还会向授权效力器发送恳求权限的范围,参数名叫scope.普通都是一个Url地址. 恳求胜利,授权效力器前往后,客户端需再次访问授权效力器恳求访问令牌.这主要由WebServerClient类的ProcessU

12、serAuthorization方法完成public IAuthorizationState ProcessUserAuthorization(HttpRequestBase request = null); 胜利恳求后,会前往一个IAuthorizationState接口对象,其定义如下string AccessToken get; set; DateTime? AccessTokenExpirationUtc get; set; DateTime? AccessTokenIssueDateUtc get; set; Uri Callback get; set; string Refresh

13、Token get; set; HashSet Scope get; 很好了解,AccessToken为访问令牌,RefreshToken为刷新令牌,AccessTokenIssueDateUtc为访问令牌生成时间,AccessTokenExpirationUtc为访问令牌过期时间,Callback为回调的Url,Scope为权限的范围,或者叫被授权可以访问的地址范围. 在Sample中为了简化编程对框架作了二次封装,如下1 private static AuthorizationServerDescription AuthServerDescription; 2 3 private stat

14、ic readonly WebServerClient Client; 4 5 static OAuth2Client() 6 7 AuthServerDescription = new AuthorizationServerDescription(); 8 AuthServerDescription.TokenEndpoint = new Uri(localhost:8301/OAuth/Token); 9 AuthServerDescription.AuthorizationEndpoint = new Uri(localhost:8301/OAuth/Authorize); 10 11

15、Client = new WebServerClient(AuthServerDescription, sampleconsumer, samplesecret); 12 13 14 private static IAuthorizationState Authorization 15 16 get return (AuthorizationState)HttpContext.Current.SessionAuthorization; 17 set HttpContext.Current.SessionAuthorization = value; 18 19 20 public static

16、void GetUserAuthorization(string scope) 21 22 GetUserAuthorization(new string scope ); 23 24 25 public static void GetUserAuthorization(IEnumerable scopes) 26 27 if (Authorization != null) 28 29 return; 30 31 32 IAuthorizationState authorization = Client.ProcessUserAuthorization(); 33 if (authorizat

17、ion = null) 34 35 Client.RequestUserAuthorization(scopes); 36 37 return; 38 39 40 Authorization = authorization; 41 HttpContext.Current.Response.Redirect(HttpContext.Current.Request.Path); 42 前12行为对象初始化,14到18行将获取的权限对象保管在Session中,属性名为Authorization.客户端运用GetUserAuthorization方法来获取对某地址访问授权. 在页面中调用代码如下if

18、(!IsPostBack) OAuth2Client.GetUserAuthorization(/IGetData/NameLength); 翻开页面,初次调用GetUserAuthorization方法后,首先判别权限对象Authorization能否为空.不为空阐明已获取到权限.为空那么执行ProcessUserAuthorization方法获取访问令牌,由于此时没有授权码,那么前往的权限对象为空.最后经过RequestUserAuthorization方法向授权效力器恳求授权码. 获取胜利后,阅读器页面会刷新,在页面地址后追加了授权码.此时第二次执行GetUserAuthorizatio

19、n方法.权限对象Authorization依然为空,但由于已有授权码,那么ProcessUserAuthorization方法将向授权效力器恳求访问令牌.获取胜利后将前往的权限对象赋给Authorization属性,然后再次刷新本页面.留意,刷新地址运用的是HttpContext.Current.Request.Path,而此属性是不包括QueryString的.作用是将授权码从地址栏中去除. 第三次执行GetUserAuthorization方法,由于权限对象Authorization已不为空,那么直接前往. 访问令牌默许是有时效的.当过期后,要么走上面三步重新恳求一个令牌,不过更好的方法是

20、运用刷新令牌刷新访问令牌.这主要由WebServerClient类的RefreshAuthorization方法完成public bool RefreshAuthorization(IAuthorizationState authorization, TimeSpan? skipIfUsefulLifeExceeds = null); 运用访问令牌的方式,是将令牌添加到访问资源效力器Http恳求的头上,这主要由WebServerClient类的AuthorizeRequest方法完成public void AuthorizeRequest(HttpWebRequest request, IAu

21、thorizationState authorization); public void AuthorizeRequest(WebHeaderCollection requestHeaders, IAuthorizationState authorization); 在Sample中针对Wcf恳求作了二次封装,如下1 public static TReturn UseService(ExpressionFuncoperation) 2 3 if (Authorization.AccessTokenExpirationUtc.HasValue) 4 5 Client.RefreshAuthori

22、zation(Authorization, TimeSpan.FromMinutes(2); 6 7 8 TService channel = new ChannelFactory(*).CreateChannel(); 9 IClientChannel client = (IClientChannel)channel; 10 11 HttpWebRequest httpRequest = (HttpWebRequest)WebRequest.Create(client.RemoteAddress.Uri); 12 ClientBase.AuthorizeRequest(httpRequest

23、, Authorization.AccessToken); 13 HttpRequestMessageProperty httpDetails = new HttpRequestMessageProperty(); 14 httpDetails.HeadersHttpRequestHeader.Authorization = httpRequest.HeadersHttpRequestHeader.Authorization; 15 16 using (OperationContextScope scope = new OperationContextScope(client) 17 18 O

24、perationContext.Current.OutgoingMessagePropertiesHttpRequestMessageProperty.Name = httpDetails; 19 20 client.Open(); 21 TReturn result = operationpile().Invoke(channel); 22 try 23 24 client.Close(); 25 26 catch 27 28 client.Abort(); 29 throw; 30 31 32 return result; 33 34 在恳求一个Wcf前,首先判别有效期.假设少于2分钟那么

25、首先刷新访问令牌.之后构建一个HttpWebRequest对象,并运用AuthorizeRequest方法将访问令牌添加在恳求头上.从第13行之后是Wcf的特定写法,其中13到18行表示将Http授权头赋给Wcf授权头. 2.授权效力端 效力端要做的事其实很好了解,就是记录某用户在某客户端的授权情况.其运用 HYPERLINK /tag/%E6%95%B0%E6%8D%AE%E5%BA%93 o 数据库 t _blank 数据库来保管相关信息.Client表存储客户端,User表存储用户,ClientAuthorization表是张关系表,存储某用户在某客户端授予的权限.Nonce存储访问 H

26、YPERLINK /tag/%E9%9A%8F%E6%9C%BA%E6%95%B0 o 随机数 t _blank 随机数,SymmertricCryptoKey表存储对称加密的密码. 效力端主要围绕以下对象编程 AuthorizationServer类,代表授权效力类.主要的功能都由它提供.IAuthorizationServerHost接口是编写验证逻辑的地方,由OAuth2AuthorizationServer类实现,ICryptoKeyStore是访问密码的接口,INonceStore是访问随机数的地方,这两个接口由DatabaseKeyNonceStore类实现,IClientDesc

27、ription是描画客户端的接口,由Client实现. 在本Sample中,OpenId与OAuth2是配合运用的.用户需求先去OpenId进展登录,然后去OAuth2进展授权.从这个意义上讲,OAuth2受OpenId的一致管理,是其一个客户端. AccountController是一个典型的OpenId客户端编程.上篇文章已有讲解,故不赘述. 当客户端恳求授权码时,首先执行OAuthController类的Authorize方法,如下,有删节public ActionResult Authorize() var pendingRequest = this.authorizationServ

28、er.ReadAuthorizationRequest(); if (this.authorizationServer.AuthorizationServerServices as OAuth2AuthorizationServer).CanBeAutoApproved(pendingRequest) var approval = this.authorizationServer.PrepareApproveAuthorizationRequest(pendingRequest, HttpContext.User.Identity.Name); return this.authorizatio

29、nServer.Channel.PrepareResponse(approval).AsActionResult(); database.AddParameter(ClientIdentifier, pendingRequest.ClientIdentifier); ViewBag.Name = database.ExecuteScalar(select name from Client where ClientIdentifier = ClientIdentifier).ToString(); ViewBag.AuthorizationRequest = pendingRequest; re

30、turn View(); AuthorizationServer类的ReadAuthorizationRequest方法会获取用户恳求并前往一个EndUserAuthorizationRequest对象,此对象定义如下public Uri Callback get; set; public string ClientIdentifier get; set; public string ClientState get; set; public virtual EndUserAuthorizationResponseType ResponseType get; public HashSet Sco

31、pe get; 可以看到包括了客户端的相关信息.然后将此对象传入OAuth2AuthorizationServer对像的CanBeAuto HYPERLINK /tag/App o App t _blank Approved方法,查看能否自动发放授权码.public bool CanBeAutoApproved(EndUserAuthorizationRequest authorizationRequest) if (authorizationRequest.ResponseType = EndUserAuthorizationResponseType.AuthorizationCode) d

32、atabase.AddParameter(ClientIdentifier, authorizationRequest.ClientIdentifier); object result = database.ExecuteScalar(select ClientSecret from client where ClientIdentifier = ClientIdentifier); if (result != null & !string.IsNullOrEmpty(result.ToString() return this.IsAuthorizationValid(authorizatio

33、nRequest.Scope, authorizationRequest.ClientIdentifier, DateTime.UtcNow, HttpContext.Current.User.Identity.Name); return false; 此方法是查找数据库中有无此客户端记录且密码不为空,假设不为空且处于获取授权码阶段,那么会调用了IsAuthorizationValid方法private bool IsAuthorizationValid(HashSet requestedScopes, string clientIdentifier, DateTime issuedUtc,

34、string username) issuedUtc += TimeSpan.FromSeconds(1); database.AddParameter(ClientIdentifier, clientIdentifier); database.AddParameter(CreatedOnUtc, issuedUtc); database.AddParameter(ExpirationDateUtc, DateTime.UtcNow); database.AddParameter(OpenIDClaimedIdentifier, username); StringBuilder sb = ne

35、w StringBuilder(); sb.Append(select scope from user u ); sb.Append( join ClientAuthorization ca on u.userid = ca.userid ); sb.Append( join Client c on c.clientid = ca.clientid ); sb.Append( where c.ClientIdentifier = ClientIdentifier ); sb.Append( and CreatedOnUtc = ExpirationDateUtc ) ); sb.Append(

36、 and u.OpenIDClaimedIdentifier = OpenIDClaimedIdentifier ); DataTable dt = database.ExecuteDataSet(sb.ToString().Tables0; if (dt.Rows.Count = 0) return false; var grantedScopes = new HashSet(OAuthUtilities.ScopeStringComparer); foreach (DataRow dr in dt.Rows) grantedScopes.UnionWith(OAuthUtilities.S

37、plitScopes(drscope.ToString(); return requestedScopes.IsSubsetOf(grantedScopes); 可以看到,此方法查找指定用户在指定客户端上能否有对目的范围的授权,且没有过期.也就是说,假设客服端的密码不能为空,且当前用户在此客户端上对目的范围还有未过期的授权,那么自动发放授权码. 回到最初的Authorize方法.假设可以自动发放授权码,那么调用AuthorizationServer类的PrepareApproveAuthorizationRequest方法生成一个授权码,并经过AuthorizationServer类Chann

38、el属性的PrepareResponse方法最终前往给客户端. 假设不能自动发放,那么阅读器会跳转到一个确认页面,如以下图所示 点击后执行OAuthController类的AuthorizeResponse方法,有删节.public ActionResult AuthorizeResponse(bool isApproved) var pendingRequest = this.authorizationServer.ReadAuthorizationRequest(); IDirectedProtocolMessage response; if (isApproved) database.A

39、ddParameter(ClientIdentifier, pendingRequest.ClientIdentifier); int clientId = Convert.ToInt32(database.ExecuteScalar(select clientId from client where ClientIdentifier = ClientIdentifier); database.AddParameter(OpenIDClaimedIdentifier, User.Identity.Name); int userId = Convert.ToInt32(database.Exec

40、uteScalar(select userId from user where OpenIDClaimedIdentifier = OpenIDClaimedIdentifier); database.AddParameter(CreatedOnUtc, DateTime.UtcNow); database.AddParameter(clientId, clientId); database.AddParameter(userId, userId); database.AddParameter(Scope, OAuthUtilities.JoinScopes(pendingRequest.Sc

41、ope); database.ExecuteNonQuery(insert into ClientAuthorization values(null, CreatedOnUtc, clientId, userId, Scope, null); response = this.authorizationServer.PrepareApproveAuthorizationRequest(pendingRequest, User.Identity.Name); else response = this.authorizationServer.PrepareRejectAuthorizationReq

42、uest(pendingRequest); return this.authorizationServer.Channel.PrepareResponse(response).AsActionResult(); 逻辑比较简单,假好像意,那么获取客户端信息后,在数据库的ClientAuthorization表中插入某时某用户在某客户端对于某访问范围的权限信息,然后好像上面一样,调用AuthorizationServer类的PrepareApproveAuthorizationRequest方法生成一个授权码,并经过AuthorizationServer类Channel属性的PrepareResp

43、onse方法最终前往给客户端. 有一点需求留意.Authorize方法是从恳求中获取客户端信息,而AuthorizeResponse方法那么是从Authorize方法所对应的View中获取客户端信息.所以此View必需包含相关系统.在Sample中我首先将获取出来的pendingRequest对象赋于ViewBag.AuthorizationRequest,然后在View中将其放入隐藏域.留意,其名字是固定的. ViewBag.Title = Authorize; Layout = /Views/Shared/_Layout.cshtml; DotNetOpenAuth.OAuth2.Mess

44、ages.EndUserAuthorizationRequest AuthorizationRequest = ViewBag.AuthorizationRequest; Authorize 能否授权 ViewBag.Name 访问以下地址 foreach (string scope in AuthorizationRequest.Scope) scope using (Html.BeginForm(AuthorizeResponse, OAuth) Html.AntiForgeryToken() Html.Hidden(isApproved) Html.Hidden(client_id, A

45、uthorizationRequest.ClientIdentifier) Html.Hidden(redirect_uri, AuthorizationRequest.Callback) Html.Hidden(state, AuthorizationRequest.ClientState) Html.Hidden(scope, DotNetOpenAuth.OAuth2.OAuthUtilities.JoinScopes(AuthorizationRequest.Scope) Html.Hidden(response_type, AuthorizationRequest.ResponseT

46、ype = DotNetOpenAuth.OAuth2.Messages.EndUserAuthorizationResponseType.AccessToken ? token : code) 此时客户端已获取到授权码.然后会发出第二次恳求恳求访问令牌.这个恳求由OAuthController类的Token方法处置public ActionResult Token() return this.authorizationServer.HandleTokenRequest(this.Request).AsActionResult(); 实践上由AuthorizationServer类的Handl

47、eTokenRequest方法处置,最终调用OAuth2AuthorizationServer类的CreateAccessToken方法创建访问令牌并前往客户端. 大体的效力端编程接口分析到此终了,下面我们深化源码来了解这些关键类的 HYPERLINK /tag/%E6%9E%B6%E6%9E%84 o 架构 t _blank 架构方式. AuthorizationServer类主要提供编程接口,而自行实现的OAuth2AuthorizationServer类,DatabaseKeyNonceStore类和Client类那么主要担任与数据库的交互.真正担任通讯的是Channel笼统类,其作为A

48、uthorizationServer类的Channel属性对外公布,详细实现类为OAuth2AuthorizationServerChannel类. 在Channel类上作者运用了一种类似于Asp.Net的管道模型的方式来架构此类.相对于IHttpModule接口,这里的接口名叫IChannelBindingElement.其定义如下public interface IChannelBindingElement Channel Channel get; set; MessageProtections Protection get; MessageProtections? ProcessOutg

49、oingMessage(IProtocolMessage message); MessageProtections? ProcessIncomingMessage(IProtocolMessage message); 而在Channel类中的关键部分如下private readonly List outgoingBindingElements = new List(); private readonly List incomingBindingElements = new List(); protected Channel(IMessageFactory messageTypeProvider

50、, params IChannelBindingElement bindingElements) . this.outgoingBindingElements = new List(ValidateAndPrepareBindingElements(bindingElements); this.incomingBindingElements = new List(this.outgoingBindingElements); this.incomingBindingElements.Reverse(); . protected virtual void ProcessIncomingMessag

51、e(IProtocolMessage message) foreach (IChannelBindingElement bindingElement in this.IncomingBindingElements) .MessageProtections? elementProtection = bindingElement.ProcessIncomingMessage(message);. . protected void ProcessOutgoingMessage(IProtocolMessage message) foreach (IChannelBindingElement bind

52、ingElement in this.outgoingBindingElements) .MessageProtections? elementProtection = bindingElement.ProcessOutgoingMessage(message);. . 可以看到定义了两个集合分别存储恳求过滤器与呼应过滤器.两者都由构造函数初始化,内容一样,顺序相反.在读取恳求时会遍历In HYPERLINK /tag/com o com t _blank comingBindingElements集合并逐个调用ProcessIncomingMessage方法对传入的message进展处置,在

53、发出呼应时会遍历outgoingBindingElements集合并逐个调用ProcessOutgoingMessage方法对message进展处置. 下面就以授权效力器接纳授权码并发送访问令牌为例来分析此架构在实例中的运用. 上面讲过,客户端发送恳求后,由OAuthController类的Token方法呼应public ActionResult Token() return this.authorizationServer.HandleTokenRequest(this.Request).AsActionResult(); 调用了AuthorizationServer类的HandleToke

54、nRequest方法,有删节public OutgoingWebResponse HandleTokenRequest(HttpRequestBase request = null) try if (this.Channel.TryReadFromRequest(request, out requestMessage) var accessTokenResult = this.AuthorizationServerServices.CreateAccessToken(requestMessage); . . . return this.Channel.PrepareResponse(respo

55、nseMessage); 可以看到,实践都用调用Channel中的方法,读取恳求调用的TryReadFromRequest方法public bool TryReadFromRequest(HttpRequestBase httpRequest, out TRequest request) where TRequest : class, IProtocolMessage . IProtocolMessage untypedRequest = this.ReadFromRequest(httpRequest); . 之后调用了本身的ReadFromRequest方法public IDirected

56、ProtocolMessage ReadFromRequest(HttpRequestBase httpRequest) IDirectedProtocolMessage requestMessage = this.ReadFromRequestCore(httpRequest); if (requestMessage != null) var directRequest = requestMessage as IHttpDirectRequest; if (directRequest != null) foreach (string header in httpRequest.Headers

57、) directRequest.Headersheader = httpRequest.Headersheader; this.ProcessIncomingMessage(requestMessage); return requestMessage; 可以看到,这里就会调用ProcessIncomingMessage方法对经过ReadFromRequestCore方法读取到恳求作过滤 回到HandleTokenRequest方法,当其调用AuthorizationServerServices属性的CreateAccessToken方法生成访问令牌后,会调用Channel属性的PrepareR

58、esponse方法生成呼应public OutgoingWebResponse PrepareResponse(IProtocolMessage message) . this.ProcessOutgoingMessage(message); . OutgoingWebResponse result; switch (message.Transport) case MessageTransport.Direct: result = this.PrepareDirectResponse(message); break; . result.HeadersHttpResponseHeader.Cac

59、heControl = no-cache, no-store, max-age=0, must-revalidate; result.HeadersHttpResponseHeader.Pragma = no-cache; return result; 可以看到,首先就调用了ProcessOutgoingMessage方法过滤呼应,然后调用PrepareDirectResponse方法最终生成呼应 下面继续分析其过滤器组件的实现. 我们在运用AuthorizationServer类时,其Channel属性的实践类型是OAuth2AuthorizationServerChannel类.此类的构造

60、函数会调用本类InitializeBindingElements静态方法加载两个IChannelBindingElement类型的过滤器,然后传入父类构造函数,最终会被添加到上文所说的Channel类的outgoingBindingElements集合与incomingBindingElements集合中.protected internal OAuth2AuthorizationServerChannel(IAuthorizationServerHost authorizationServer, ClientAuthenticationModule clientAuthenticationM