WCF用户身份验证和授权
[英]WCF User Authentication & Authorization
问题描述
I need to find a way to authenticate/authorize users in a WCF-service. 
我需要找到一种方法来验证/授权WCF服务中的用户。 I'm using an external authentication service which stores the credentials of the users. 我正在使用外部身份验证服务来存储用户的凭据。
Eg. 例如。 "Bob uses our loginmethod, we send the credentials to the authentication service, the service lets us know if these credentials are correct." “Bob使用我们的loginmethod,我们将凭据发送到身份验证服务,该服务让我们知道这些凭据是否正确。” If Bob sends another request, we need to know if Bob is already authenticated. 如果Bob发送另一个请求,我们需要知道Bob是否已经过身份验证。
Now a session is being created on the client, but it needs to move to the server-side. 现在正在客户端上创建会话,但它需要移动到服务器端。 We can not rely on clients for security. 我们不能依赖客户的安全性。
Can this be solved by using security cookies or do any of you have a better suggestion? 这可以通过使用安全cookie来解决,还是你们中有人有更好的建议?
EDIT! 编辑! I can only use the authentication server and do not have access to it 我只能使用身份验证服务器而无法访问它
1 个解决方案
解决方案1
10 已采纳 2013-09-26 12:01:41
The problem you are describing is a well-known one that had (at least) two standardized solutions. 您所描述的问题是一个众所周知的问题(至少)有两个标准化解决方案。
Federation using WS-Trust 使用WS-Trust的联合
The first option is a SOAP based one that uses active federation based on WS-Trust. 第一个选项是基于SOAP的选项,它使用基于WS-Trust的活动联合。 In this solution: 在此解决方案中:
- Your client provides credentials to the authentication service 您的客户端向身份验证服务提供凭据
- If the credentials are valid, the authentication service returns a signed (and encrypted) token to the client. 如果凭据有效,则身份验证服务会将签名(和加密)令牌返回给客户端。 It is encrypted so that any information contained in the token remains confidential - even the client cannot read it. 它是加密的,因此令牌中包含的任何信息都保密 - 即使客户端无法读取它。 It is encrypted with a public key belonging to the your WCF service. 它使用属于您的WCF服务的公钥进行加密。 It is signed with a private key belonging to the authentication service. 它使用属于身份验证服务的私钥进行签名。
- The client submits the signed/encrypted token to your WCF service. 客户端将签名/加密的令牌提交给您的WCF服务。 The service can decrypt it because it holds the private key for decryption. 该服务可以解密它,因为它拥有用于解密的私钥。 It can trust it because it is signed by the authentication service. 它可以信任它,因为它是由身份验证服务签名的。
- Based on the content of the decrypted token, the service can establish the client identity and make an authorization decision. 基于解密令牌的内容,服务可以建立客户端身份并做出授权决定。
In this model, the usual terminology is: 在这个模型中,通常的术语是:
- Your authentication service the Security Token Service 您的身份验证服务是安全令牌服务
- Your WCF service is the Relying Party 您的WCF服务是依赖方
- your client is the Client 您的客户是客户
This sounds complex, but it is very well supported in .Net and WCF using Windows Identity Foundation. 这听起来很复杂,但在使用Windows Identity Foundation的.Net和WCF中得到了很好的支持。 There are many samples available much of it (maybe all) can be done via WCF configuration rather than code. 有很多可用的样本(可能全部)可以通过WCF配置而不是代码完成。
This is well suited to scenarios where the clients are crypto-capable (like your .Net clients) and where good frameworks exist (like WIF). 这非常适合客户端具有加密功能的场景(如.Net客户端)以及存在良好框架的场景(如WIF)。 It is not so good for low spec clients such as browsers and some phones, or where you are not in control of the clients. 对于低规格的客户端(例如浏览器和某些手机),或者您无法控制客户端的情况,它不太好。
It is commonly used in enterprise scenarios, including enterprise-to-enterprise federation. 它通常用于企业方案,包括企业到企业联合。 It is used less often in internet scenarios. 在互联网场景中使用较少。
the strengths of it are 它的优点是
- It is standardised and therefore generally well supported by frameworks 它是标准化的,因此通常得到框架的良好支持
- It means that your WCF service never has to handle the client credentials (= more secure) 这意味着您的WCF服务永远不必处理客户端凭据(=更安全)
- It makes it pretty easy to switch to different authentication services (because it is standardised). 它可以很容易地切换到不同的身份验证服务(因为它是标准化的)。 For example, on-premise AD and Windows Azure AD both support this, as do other independent identity services 例如,内部部署AD和Windows Azure AD都支持此功能,其他独立身份服务也支持此功能
An overview can be found here: 可在此处找到概述:
http://msdn.microsoft.com/en-us/magazine/ee335707.aspx http://msdn.microsoft.com/en-us/magazine/ee335707.aspx
And Google will show you lots more walkthroughs and examples. 谷歌将向您展示更多的演练和示例。
Federation using OAUth 2 联邦使用OAUth 2
In this solution: 在此解决方案中:
- The client displays some UI provided by the authentication service (generally a web page) 客户端显示身份验证服务提供的一些UI(通常是网页)
- The user enters their credentials in that UI and the authentication service authenticates and eventually returns a token to the client. 用户在该UI中输入其凭证,并且身份验证服务进行身份验证并最终将令牌返回给客户端。 The nature of the token is not standardised, nor is whether it is encrypted. 令牌的性质不是标准化的,也不是加密的。 Generally it will be at least signed. 通常它至少会签名。
- The client submits the token with each request to the WCF service 客户端将每个请求的令牌提交给WCF服务
- The WCF service authenticates the token as in the previous solution WCF服务对先前解决方案中的令牌进行身份验证
In the OAuth terminology: 在OAuth术语中:
- Your authentication service is the Authorization Server 您的身份验证服务是授权服务器
- Your WCF service is the Resource Owner 您的WCF服务是资源所有者
- Your client is the Client 您的客户是客户
Again, this sounds complex, but it is reasonably well supported in .Net. 同样,这听起来很复杂,但它在.Net中得到了相当好的支持。 Probably not as well as the WS-Trust approach though at the moment. 目前可能不如WS-Trust方法。 It is supported by Windows Azure AD and on the client side, using the Windows Azure Authentication Library. 它受Windows Azure AD和客户端支持,使用Windows Azure身份验证库。 May other services use this approach - eg Facebook. 可能其他服务使用这种方法 - 例如Facebook。
This works well where 这在哪里工作得很好
- Your client is low spec or not crypto-capable (eg a browser or some phones) 您的客户端规格较低或不具备加密功能(例如浏览器或某些手机)
- You do not control the client (eg a third party application is accessing your service) 您无法控制客户端(例如,第三方应用程序正在访问您的服务)
It is very commonly used in internet application where you as an owner of the WCF service don't necessarily know the users or the clients. 它在互联网应用程序中非常常用,您作为WCF服务的所有者不一定了解用户或客户端。 It is a less complete standard in some ways (eg it does not define exactly how the authentication happens) and as a result, it is less easy to switch to alternative authorisation servers. 在某些方面它是一个不太完整的标准(例如,它没有确切地定义身份验证的发生方式),因此,切换到备用授权服务器就不那么容易了。
The strengths of it are: 它的优点是:
- It is simpler and therefore has wider platform support 它更简单,因此具有更广泛的平台支持
- It is growing in popularity and therefore the library support is getting better all the time 它越来越受欢迎,因此图书馆的支持一直在变得越来越好
- The user never enters their credentials into your UI, only into the auth server, so it is more likely to be trusted (in internet scenarios) 用户永远不会将他们的凭据输入您的UI,只会进入auth服务器,因此更可能被信任(在互联网方案中)
- It has a built in way of controlling the scope of the permissions granted to the client, and revoking those permissions, so again it is more trusted in an internet scenario 它有一种内置的方式来控制授予客户端的权限范围,并撤销这些权限,因此它在Internet场景中更受信任
The official .Net support for this is in the Windows Azure AD Authentication library 官方.Net对此的支持是在Windows Azure AD身份验证库中
http://msdn.microsoft.com/en-us/library/windowsazure/jj573266.aspx http://msdn.microsoft.com/en-us/library/windowsazure/jj573266.aspx
There are other, open source components too, such as DotNetOpenAuth 还有其他开源组件,例如DotNetOpenAuth
http://dotnetopenauth.net/ http://dotnetopenauth.net/
Which solution would be best for you depends mainly on the nature of your authentication service I would say. 哪种解决方案最适合您,主要取决于我所说的身份验证服务的性质。 And on whether you are in an enterprise or internet scenario. 无论您是在企业还是互联网场景中。 If the auth. 如果是auth。 service could be easily adapted to be a WS-Trust Secure Token Service (STS), then that would be a good route. 服务可以很容易地适应成为WS-Trust安全令牌服务(STS),那么这将是一条很好的途径。 If adding some web UI to the auth. 如果向auth添加一些Web UI。 service is feasible, the OAuth might be better. 服务是可行的,OAuth可能会更好。
Or, if neither option is feasible, you could just borrow the patterns form one approach and use that without going for the full standard. 或者,如果两个选项都不可行,您可以从一种方法借用模式,并在不使用完整标准的情况下使用它。
Good luck! 祝好运!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.