[英]WCF User Authentication & Authorization
I need to find a way to authenticate/authorize users in a WCF-service. 我需要找到一种方法来验证/授权WCF服务中的用户。 I'm using an external authentication service which stores the credentials of the users.
我正在使用外部身份验证服务来存储用户的凭据。
Eg. 例如。 "Bob uses our loginmethod, we send the credentials to the authentication service, the service lets us know if these credentials are correct."
“Bob使用我们的loginmethod,我们将凭据发送到身份验证服务,该服务让我们知道这些凭据是否正确。” If Bob sends another request, we need to know if Bob is already authenticated.
如果Bob发送另一个请求,我们需要知道Bob是否已经过身份验证。
Now a session is being created on the client, but it needs to move to the server-side. 现在正在客户端上创建会话,但它需要移动到服务器端。 We can not rely on clients for security.
我们不能依赖客户的安全性。
Can this be solved by using security cookies or do any of you have a better suggestion? 这可以通过使用安全cookie来解决,还是你们中有人有更好的建议?
EDIT! 编辑! I can only use the authentication server and do not have access to it
我只能使用身份验证服务器而无法访问它
The problem you are describing is a well-known one that had (at least) two standardized solutions. 您所描述的问题是一个众所周知的问题(至少)有两个标准化解决方案。
Federation using WS-Trust 使用WS-Trust的联合
The first option is a SOAP based one that uses active federation based on WS-Trust. 第一个选项是基于SOAP的选项,它使用基于WS-Trust的活动联合。 In this solution:
在此解决方案中:
In this model, the usual terminology is: 在这个模型中,通常的术语是:
This sounds complex, but it is very well supported in .Net and WCF using Windows Identity Foundation. 这听起来很复杂,但在使用Windows Identity Foundation的.Net和WCF中得到了很好的支持。 There are many samples available much of it (maybe all) can be done via WCF configuration rather than code.
有很多可用的样本(可能全部)可以通过WCF配置而不是代码完成。
This is well suited to scenarios where the clients are crypto-capable (like your .Net clients) and where good frameworks exist (like WIF). 这非常适合客户端具有加密功能的场景(如.Net客户端)以及存在良好框架的场景(如WIF)。 It is not so good for low spec clients such as browsers and some phones, or where you are not in control of the clients.
对于低规格的客户端(例如浏览器和某些手机),或者您无法控制客户端的情况,它不太好。
It is commonly used in enterprise scenarios, including enterprise-to-enterprise federation. 它通常用于企业方案,包括企业到企业联合。 It is used less often in internet scenarios.
在互联网场景中使用较少。
the strengths of it are 它的优点是
An overview can be found here: 可在此处找到概述:
http://msdn.microsoft.com/en-us/magazine/ee335707.aspx http://msdn.microsoft.com/en-us/magazine/ee335707.aspx
And Google will show you lots more walkthroughs and examples. 谷歌将向您展示更多的演练和示例。
Federation using OAUth 2 联邦使用OAUth 2
In this solution: 在此解决方案中:
In the OAuth terminology: 在OAuth术语中:
Again, this sounds complex, but it is reasonably well supported in .Net. 同样,这听起来很复杂,但它在.Net中得到了相当好的支持。 Probably not as well as the WS-Trust approach though at the moment.
目前可能不如WS-Trust方法。 It is supported by Windows Azure AD and on the client side, using the Windows Azure Authentication Library.
它受Windows Azure AD和客户端支持,使用Windows Azure身份验证库。 May other services use this approach - eg Facebook.
可能其他服务使用这种方法 - 例如Facebook。
This works well where 这在哪里工作得很好
It is very commonly used in internet application where you as an owner of the WCF service don't necessarily know the users or the clients. 它在互联网应用程序中非常常用,您作为WCF服务的所有者不一定了解用户或客户端。 It is a less complete standard in some ways (eg it does not define exactly how the authentication happens) and as a result, it is less easy to switch to alternative authorisation servers.
在某些方面它是一个不太完整的标准(例如,它没有确切地定义身份验证的发生方式),因此,切换到备用授权服务器就不那么容易了。
The strengths of it are: 它的优点是:
The official .Net support for this is in the Windows Azure AD Authentication library 官方.Net对此的支持是在Windows Azure AD身份验证库中
http://msdn.microsoft.com/en-us/library/windowsazure/jj573266.aspx http://msdn.microsoft.com/en-us/library/windowsazure/jj573266.aspx
There are other, open source components too, such as DotNetOpenAuth 还有其他开源组件,例如DotNetOpenAuth
http://dotnetopenauth.net/ http://dotnetopenauth.net/
Which solution would be best for you depends mainly on the nature of your authentication service I would say. 哪种解决方案最适合您,主要取决于我所说的身份验证服务的性质。 And on whether you are in an enterprise or internet scenario.
无论您是在企业还是互联网场景中。 If the auth.
如果是auth。 service could be easily adapted to be a WS-Trust Secure Token Service (STS), then that would be a good route.
服务可以很容易地适应成为WS-Trust安全令牌服务(STS),那么这将是一条很好的途径。 If adding some web UI to the auth.
如果向auth添加一些Web UI。 service is feasible, the OAuth might be better.
服务是可行的,OAuth可能会更好。
Or, if neither option is feasible, you could just borrow the patterns form one approach and use that without going for the full standard. 或者,如果两个选项都不可行,您可以从一种方法借用模式,并在不使用完整标准的情况下使用它。
Good luck! 祝好运!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.