堆栈内存溢出
  简体   繁体   English

使用外部Web API提供的OAuth Bearer Token授权

[英]Authorization with OAuth Bearer Token provided by External Web API

 原文  2015-01-12 08:54:38       c#/ model-view-controller/ asp.net-web-api/ owin/ bearer-token

问题描述

I'm posting this in the hope of receiving some feedback/advice and information on something I've been struggling with the last few days. 我发布这篇文章是希望收到一些反馈意见/建议和有关我过去几天一直在努力的事情的信息。 To start I'll give a quick breakdown of the project. 首先,我将对项目进行快速细分。

There are 2 applications in the solution: 解决方案中有2个应用程序:

  1. WebAPI resource & authorization server - Uses OWIN (hosted in IIS) and ASP.NET Identity to issue an authentication token on a correct login and then allow requests to the various controllers. WebAPI资源和授权服务器 - 使用OWIN(在IIS中托管)和ASP.NET标识在正确的登录上发出身份验证令牌,然后允许对各种控制器的请求。

  2. MVC client application - Has no authorization as of yet (until I figure it out) but will make calls to the WebAPI resource server to get all data. MVC客户端应用程序 - 目前还没有授权(直到我搞清楚),但会调用WebAPI资源服务器来获取所有数据。 These calls will only ever be made from actions of the controllers in the client app, no client side AJAX calls. 这些调用只能来自客户端应用程序中控制器的操作,而不是客户端AJAX调用。

The client application doesn't have it's own datasource. 客户端应用程序没有自己的数据源。 All information is stored in a database which the WebAPI service has access to, so essentially if they provide the correct credentials and the client app receives a bearer token I need to deliver a way for the application to see them as authorized. 所有信息都存储在WebAPI服务可以访问的数据库中,因此,如果它们提供了正确的凭据并且客户端应用程序收到了承载令牌,我需要为应用程序提供一种方式来查看它们是否已获得授权。

  • What's the best way to handle this? 处理这个问题的最佳方法是什么?
  • Is it possible to configure OWIN on the client side to use the OAuth settings of the server? 是否可以在客户端配置OWIN以使用服务器的OAuth设置? Am I barking up the wrong tree and will I need to just use HTTPClients? 我咆哮着错误的树,我是否需要使用HTTPClients?
  • Could I deserialize the bearer token and store it in session, and then write my own authorization providers to check these on the client side? 我可以反序列化持有者令牌并将其存储在会话中,然后编写我自己的授权提供程序以在客户端检查这些吗?

My initial concerns are I'm abusing Bearer Tokens and trying to cobble them into a solution which isn't ideal. 我最初担心的是我在滥用Bearer Tokens并试图将它们拼凑成一个不理想的解决方案。 All examples of external authorization I've found so far usually involve making calls to providers hosted by Google/Facebook/Twitter to check the user is who they say they are, and then moves on to creating a user record in their system. 到目前为止,我发现的所有外部授权示例通常都涉及拨打由Google / Facebook / Twitter托管的提供商来检查用户是否是他们所说的人,然后继续在他们的系统中创建用户记录。 My application can't do this. 我的申请不能这样做。

In regards to security I was planning to introduce filters which would validate the request has came from the client application by providing an identifier and secret, along with IP validation. 关于安全性,我计划引入过滤器,通过提供标识符和秘密以及IP验证来验证来自客户端应用程序的请求。

I realize this may be a bit open ended, but I'd appreciate any advice. 我意识到这可能有点开放,但我很感激任何建议。 The scope of the project is that the web service is the only thing to have access to the database. 该项目的范围是Web服务是唯一可以访问数据库的东西。 The MVC client application will be hosted on a different server, and the service will only accept requests from said client application. MVC客户端应用程序将托管在不同的服务器上,并且该服务仅接受来自所述客户端应用程序的请求。

2 个解决方案

解决方案1
 5 已采纳  2015-01-12 09:36:21

You don't need to access the data source in your MVC app to validate the bearer token. 您无需访问MVC应用程序中的数据源即可验证持有者令牌。 Basically, you can do it in the following way, 基本上,你可以通过以下方式完成,

  • MVC app requests access_token from webapi and passes it to the UI client (let's say a browser). MVC应用程序从webapi请求access_token并将其传递给UI客户端(比如说浏览器)。

  • Browser stores the access_token in a cookie/localstorage and sends them to the MVC app for all subsequent requests. 浏览器将access_token存储在cookie / localstorage中,并将它们发送到MVC应用程序以获取所有后续请求。

  • Create an ActionFilter in the MVC app to validate if the request from the browser has the token supplied in the header. 在MVC应用程序中创建一个ActionFilter ,以验证来自浏览器的请求是否具有标头中提供的令牌。 If not, reject the request. 如果没有,请拒绝该请求。

  • MVC app passes the access_token in the Authorization header to the webapi. MVC应用程序将Authorization标头中的access_token传递给webapi。

  • Use HTTPS for all communications (between MVC app <-> Client and MVC app <-> WebAPI) 对所有通信使用HTTPS(在MVC app < - > Client和MVC app < - > WebAPI之间)

You can further obfuscate or encrypt the access_token you get from the WebAPI on the MVC app side for additional security but then you will have to send the decrypted version back to the WebAPI. 您可以进一步模糊或加密从MVC应用程序端的WebAPI获得的access_token获得额外的安全性,但是您必须将解密的版本发送回WebAPI。

解决方案2
 3  2015-05-27 22:59:01

I realize that my answer is a bit late, but maybe it helps other people: 我意识到我的答案有点晚了,但也许它有助于其他人:

The bearer token that you get from the API has a list of claims encrypted that only the API can decrypt. 您从API获得的承载令牌具有加密的声明列表,只有API可以解密。 I assume you need to have these claims on the MVC application as well so you can restrict resources on the client. 我假设您需要在MVC应用程序上拥有这些声明,以便您可以限制客户端上的资源。

So, what I have done was to first get token. 所以,我所做的是先获得令牌。 After you get it, you make another request to the API resource api/me/claims to get the list of readable claims on the client. 获得它之后,您再向API资源api / me / claim发出请求,以获取客户端上的可读声明列表。 Based on this list you can allow access to resources in your MVC CLient Application using a custom claims based Authorize attribute. 根据此列表,您可以使用基于自定义声明的“授权”属性访问MVC CLient应用程序中的资源。 Also, you can store the claims in a cookie in the client session. 此外,您可以将声明存储在客户端会话中的cookie中。 Below is the code for the API controller to get the Claims. 以下是API控制器获取声明的代码。 

[RoutePrefix("api/me/claims")]
public class ClaimsController : BaseApiController
{
    [Authorize]
    [Route("")]
    public IHttpActionResult GetClaims()
    {
        var identity = User.Identity as ClaimsIdentity;

        var claims = from c in identity.Claims
                     select new
                     {
                         subject = c.Subject.Name,
                         type = c.Type,
                         value = c.Value
                     };

        return Ok(claims);
    }
}

The idea is to reconstruct the ClaimsIdentity object of the logged User on the Client side and maybe add it to the session. 我们的想法是在客户端重建已记录用户的ClaimsIdentity对象,并可能将其添加到会话中。

The token is not enough. 令牌是不够的。 You might risk getting a Not Authorized response from the API on a resource that you have made visible for the user in the MVC Client Application. 您可能会冒险从您在MVC客户端应用程序中为用户显示的资源上获取API的Not Authorized响应。 Needles to say that is recommended to use HTTPS for all requests. 有人说,建议对所有请求使用HTTPS。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用授权例程提供的VSTS OAuth2承载令牌? - How do I use the VSTS OAuth2 Bearer Token provided by the authorization routine? Web API 2 中非常基本的承载令牌身份验证和授权 - Very basic bearer token authentication and authorization in Web API 2 JWT不记名令牌授权不起作用asp net core web api - JWT bearer token Authorization not working asp net core web api Web API中的Decrypt Bearer Token - Decrypt Bearer Token in Web API Microsoft.Owin.Security.Oauth承载令牌授权拦截 - Microsoft.Owin.Security.Oauth Bearer Token Authorization Interception Azure AD 带有用于 Web API 的不记名令牌身份验证的 AD 无法正常工作,抛出错误,因为“此请求的授权已被拒绝”。 - Azure AD with Bearer token authentication for Web API not working throwing error as “Authorization has been denied for this request.” 实现Identity 2.1 + OWIN OAuth JWT承载令牌时如何从Web API控制器端点进行身份验证 - How to authenticate from Web API controller endpoint when implementing Identity 2.1 + OWIN OAuth JWT bearer token 承载令牌授权 - Bearer token Authorization OAuth承载令牌无效 - OAuth bearer token not working Web API安全和身份验证 - 承载令牌 - Web API Security and Authentication - bearer token
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM