无需Internet连接即可针对Azure AD验证Webapi
[英]authenticate webapi against azure AD without internet connection
问题描述
This may sound a silly question... 
这听起来可能是个愚蠢的问题...
I want to authenticate an end user that connects to a webapi service against Azure AD. 我想验证针对Azure AD连接到webapi服务的最终用户。 The Web Server (where the webapi service is hosted) is located in a zone without internet connection due to security reasons, behind a reverse proxy. 由于安全原因,Web服务器(托管webapi服务的服务器)位于没有Internet连接的区域中,位于反向代理后面。
The client (end user) is at home with internet (of course) and connects to the webApi service through the reverse proxy. 客户端(最终用户)在家中(当然)有Internet,并通过反向代理连接到webApi服务。
Does all/any of the available authentication methods against AZURE AD require that the server that hosts the webapi service has Internet connection? 针对AZURE AD的所有/任何可用身份验证方法是否都要求托管webapi服务的服务器具有Internet连接?
Thanks 谢谢
1 个解决方案
解决方案1
1 已采纳 2015-04-24 05:31:58
You can do this! 你可以这样做! :) As long as there is internet between the client and the identity provider (AD), you can always obtain a token and send it to the API - the API does not need a live connection to authenticate, it just needs to validate the token supplied by the client in the call. :)只要客户端和身份提供者(AD)之间存在互联网,您就可以始终获取令牌并将其发送到API-API不需要实时连接进行身份验证,只需要验证令牌即可由客户在通话中提供。 The only tricky part is that today's OWIN middleware automates the acquisition of the token validation parameters by reading a discovery document hosted on Azure AD. 唯一棘手的部分是,当今的OWIN中间件通过读取Azure AD上托管的发现文档来自动执行令牌验证参数的获取。 That is clearly not an option in your case, but what you can do is to acquire that document out of band and use the info you find in there to initialize the middleware manually. 显然,这不是您的选择,但是您可以做的是带外获取该文档,并使用在那里找到的信息手动初始化中间件。 Unfortunately we don't have samples that show how to do this, but let me see if I can get a snippet to post here. 不幸的是,我们没有显示如何执行此操作的示例,但是让我看看是否可以在此处发布摘要。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.