WCF OAuth-不使用RESTFUL服务
[英]WCF OAuth - Not using RESTFUL services
问题描述
I've done some background research into WCF services, and we've decided to look into ways of providing authentication on our services. 
我已经对WCF服务进行了一些背景研究,并且我们决定研究在我们的服务上提供身份验证的方法。 I suggested OAuth, however we are unsure whether OAuth can be used for WCF services that are NOT RESTful. 我建议使用OAuth,但是我们不确定OAuth是否可用于不是 RESTful的WCF服务。 These would be all over SSL as well. 这些也将全部通过SSL。
Can we pass OAuth variables as an object in service calls, alongside our other parameters? 我们可以将OAuth变量与其他参数一起作为服务调用中的对象传递吗?
ie 即
[OperationContract]
public void GetTheAwesome(OAuthObject oauth, AwesomeObject awesome);
[OperationContract]
public OAuthRequestObject Authorise(string username, string pass);
[OperationContract]
public OAuthObject Authenticate(OAuthRequestObject authObj);
[DataContract]
public class OAuthRequestObject
{
[DataMember]
public string ConsumerKey { get; set; }
[DataMember]
public string ConsumerSecret { get; set; }
}
[DataContract]
public class OAuthObject
{
[DataMember]
public string AccessKey { get; set; } // our key
[DataMember]
public string AccessSecret { get; set; } // our signature/secret
[DataMember]
public string Timestamp { get; set; } // our timestamp
[DataMember]
public string SignatureMethod { get; set; } // our signature method (HMAC/SHA, etc)
}
Is this a valid way for it to occur? 这是一种有效的发生方式吗? Can OAuth even work in this way? OAuth可以这样工作吗? Is OAuth restricted to RESTful calls only? OAuth是否仅限于RESTful调用?
OR 要么
Am I simply overcomplicating things? 我只是使事情复杂化了吗? If I specified to our developers an explicit username/password to include in our other applications, would they function just as well? 如果我为开发人员指定了要包含在其他应用程序中的显式用户名/密码,它们是否也会发挥作用?
1 个解决方案
解决方案1
1 已采纳 2014-04-30 16:19:01
The OAuth specification (section 7.1) provides an extensibility point to allow for new access token types and each token type specifies the authentication method(s) that must be used with that token. OAuth规范(第7.1节)提供了一个扩展点,以允许使用新的访问令牌类型,并且每种令牌类型都指定了必须与该令牌一起使用的身份验证方法。 For example, the "bearer" token type specifies that the token should be attached as an Authorization header of the form "Bearer ". 例如,“ bearer”令牌类型指定令牌应作为“ Bearer”形式的授权标头附加。
Here is a link to the spec: 这是规格的链接:
http://tools.ietf.org/html/rfc6749 http://tools.ietf.org/html/rfc6749
And here is an snippet from it: 这是其中的摘录:
The access token type provides the client with the information required to successfully utilize the access token to make a protected resource request (along with type-specific attributes).
For example, the "bearer" token type defined in [RFC6750] is utilized by simply including the access token string in the request:
GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer mF_9.B5f-4.1JqMwhile the "mac" token type defined in [OAuth-HTTP-MAC] is utilized by issuing a Message Authentication Code (MAC) key together with the access token that is used to sign certain components of the HTTP requests:
GET /resource/1 HTTP/1.1 Host: example.com Authorization: MAC id="h480djs93hd8", nonce="274312:dj83hs9s", mac="kDZvddkndxvhGRXZhvuDjEWhGeE="The above examples are provided for illustration purposes only.
Each access token type definition specifies the additional attributes (if any) sent to the client together with the "access_token" response parameter.
If you are going to implement the Authorisation Server for your services then you are free to define any token type that you want as well as an authentication scheme. 如果要为服务实现授权服务器,则可以自由定义所需的任何令牌类型以及身份验证方案。 Beware of interoperability though. 但是要提防互操作性。 As described, your service will only work with SOAP capable clients and third parties will probably find you a bit hard to deal with. 如前所述,您的服务将仅与支持SOAP的客户端一起使用,第三方可能会发现您有点难以应对。
If you are using an existing 3rd party Authorisation Server, then they will define the token type and you should comply with their authentication scheme. 如果您使用的是现有的第三方授权服务器,则它们将定义令牌类型,并且您应遵守其身份验证方案。
WS-Trust option WS-Trust选项
As you are in a .Net/WCF/SOAP world, a better option might be to use WS-Trust/WS-Federation. 在.Net / WCF / SOAP世界中,一个更好的选择可能是使用WS-Trust / WS-Federation。 This is very well supported in WCF with Windows Identity Foundation (WIF). 使用Windows Identity Foundation(WIF)的WCF对此很好地支持。 Depending on which .Net version you are using, WIF is either built into the core framework (.Net 4.5) or available as a separate install (.Net 3.5 and 4). 根据所使用的.Net版本,WIF可以内置在核心框架(.Net 4.5)中,也可以单独安装(.Net 3.5和4)。
The basic idea of it is that the requests for security tokens and the way they are inserted into SOAP requests when making service calls are standardised. 它的基本思想是对安全令牌的请求以及在进行服务调用时将其插入SOAP请求的方式是标准化的。 This would replace the Authorise and Authenticate operations with standard ones and replace your explicit OAuthObject parameter with a standard SOAP security header. 这将用标准操作替换Authorise和Authenticate操作,并用标准SOAP安全标头替换您的显式OAuthObject参数。
Under the hood it is complex, but the WIF implementation abstracts all the complexity away beautifully in my opinion. 在幕后它很复杂,但是在我看来,WIF实现将所有复杂性完美地抽象了。
An overview can be found here: 可以在这里找到概述:
http://msdn.microsoft.com/en-us/library/hh291066(v=vs.110).aspx http://msdn.microsoft.com/en-us/library/hh291066(v=vs.110).aspx
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.