简体繁体 English

如何在ASP.NET MVC Web Api上使用外部身份验证服务

[英]How to use external authentication services on a ASP.NET MVC Web Api

原文 2014-07-09 12:47:01 8 2 c#/ asp.net/ asp.net-mvc/ facebook-login

I'm developing an ASP.NET MVC Web Api with Visual Studio 2013, C# and .NET Framework 4.5.1. 我正在使用Visual Studio 2013，C＃和.NET Framework 4.5.1开发ASP.NET MVC Web Api。

I was reading this article and it is very interesting. 我在读这篇文章，这很有趣。 It only talks about ASP.NET MVC applications and it doesn't say anything about how to implemented it with Web Api. 它仅讨论ASP.NET MVC应用程序，没有提及如何使用Web Api实现它。

I think I can use it with Web Api but I don't know how because, as I read on the article, I will need a login page and a web api doesn't have one. 我想我可以将其与Web Api一起使用，但是我不知道如何使用，因为正如我在文章中所读到的那样，我将需要一个登录页面，而Web api没有一个。

If I will consume that web api from mobile phones (iOS, Android, Windows Phone, etc.); 如果我将通过手机（iOS，Android，Windows Phone等）使用该Web API； what do I have to do? 我需要做什么？

Maybe I will need a login form on the mobile app, or maybe I will need a login page on my web api to allow login on Google, Facebook, etc. 也许我需要在移动应用程序上登录表单，或者我需要在Web API上登录页面以允许在Google，Facebook等上登录。

Any advice? 有什么建议吗？

2 个解决方案

@VansFannel, this is an old question and I'm guessing you have moved on, but I'm leaving this here for future seekers. @VansFannel，这是一个古老的问题，我想您已经继续前进，但是我将其留在这里供将来的求职者使用。

You are correct, it does not offer a login page, but it does offer what the login page itself would use. 您是正确的，它没有提供登录页面，但是提供了登录页面本身将使用的内容。

Before I begin, go download a Chrome plugin called PostMan . 开始之前，请下载一个名为PostMan的Chrome插件。 I'll show a few screenshots as I go along using it. 在使用过程中，我将显示一些屏幕截图。 I've setup a basic WebAPI with the sample Values controller still in it, but protected with [Authorize]. 我已经设置了一个基本的WebAPI，其中仍带有示例Values控制器，但是受[Authorize]保护。 I'm running my sample WebAPI at http://localhost:54211 for this example. 对于本示例，我正在http：// localhost：54211上运行示例WebAPI。

Here is a high level process: 这是一个高级过程：

Creating a User 创建一个用户

I'm guessing your don't have any users in this new DB yet, but if you do just skip this. 我猜您在这个新数据库中还没有任何用户，但是如果您这样做，请跳过此步骤。 Otherwise, this is how you create them without a UI. 否则，这就是在没有UI的情况下创建它们的方式。

POST to http://localhost:54211/api/Account/Register POST到http：// localhost：54211 / api / Account / Register
- The post should be x-www-form-urlencoded, and should include the following fields: 该帖子应为x-www-form-urlencoded，并应包含以下字段：
  - email --- For example "test@somedomain.com" 电子邮件---例如“ test@somedomain.com”
  - password --- For example "Test123!" 密码---例如“ Test123！”
  - confirmpassword --- For example "Test123!" 确认密码---例如“ Test123！”

If the body is empty and the header status was 200, then it was successful: 如果正文为空并且标头状态为200，则说明成功：

If it failed, you'll get back a header status error of 400 and some kind of error in the body like: 如果失败，您将返回标头状态错误400和正文中的某种错误，例如：

Authenticating 验证中

Ok, we have a user in the database, lets authenticate with the WebAPI. 好的，我们在数据库中有一个用户，让我们通过WebAPI进行身份验证。

POST to http://localhost:54211/token POST到http：// localhost：54211 / token
- The post should be x-www-form-urlencoded, and should include the following fields: 该帖子应为x-www-form-urlencoded，并应包含以下字段：
- grant_type --- Set it to "password" grant_type ---设置为“密码”
- username --- For example "test@somedomain.com" 用户名---例如“ test@somedomain.com”
- password --- For example "Test123!" 密码---例如“ Test123！”

In the results from the server, if successful (status 200), you will get back what is called a "Bearer Token" - its located in the "access_token" field like this: 在服务器的结果中，如果成功（状态200），您将获得所谓的“承载者令牌”-位于“ access_token”字段中，如下所示：

For your test, copy that token value to the clipboard (in your app you could store this away in a variable). 为了进行测试，请将令牌值复制到剪贴板（在您的应用中，您可以将其存储在变量中）。

Calling a WebAPI method with a Bearer Token 使用Bearer令牌调用WebAPI方法

If you try to call an [Authorize] protected method without being authenticated, you will see something like this returned: 如果您尝试在未通过身份验证的情况下调用[Authorize]受保护的方法，则会看到类似以下内容：

But you already authenticated, right? 但是您已经通过身份验证了，对吗？ So why doesn't it know you anymore? 那它为什么不认识你呢？ Because it's REST based and it's stateless - it doesn't know you anymore after the call is complete. 因为它是基于REST的并且是无状态的-通话完成后不再认识您。 So, you have to "remind" it of who you are each time a call is made . 因此， 每次拨打电话时 ，您都必须“提醒”您的身份。 You do this by passing the token you received earlier with every request. 为此，您可以传递每个请求之前收到的令牌。

Call the URL ( http://localhost:54211/api/Values/ ) using whatever verb you need (GET,POST,etc). 使用所需的任何动词（GET，POST等）调用URL（ http：// localhost：54211 / api / Values / ）。 I'm using GET below, because in the ValuesController that is what is required. 我在下面使用GET，因为在ValuesController中这是必需的。
- In the Header of the request, I add the following field: "Authorization" and it's value as "Bearer [token]" where [token] is the token you stored away earlier. 在请求的标头中，添加以下字段：“授权”，其值为“承载[令牌]”，其中[令牌]是您之前存储的令牌。

If you get back a success (200) you can check it's body data and it will have your response: 如果您获得成功（200分），则可以检查它的身体数据，它将得到您的回应：

And that is how it's done! 就是这样完成的！ I hope that helps you or others down the road. 希望对您或其他人有帮助。

Web api providees support for integrating with social networks like facebook, twitter, microsoft, google via the owin pipeline. Web API提供了通过owin管道与Facebook，Twitter，Microsoft，Google等社交网络集成的支持。

Find a sample here which provides facebook login support for a web api. 在此处查找示例，该示例为Web API提供Facebook登录支持。