虽然Owin WebAPI Bearer Token通过了
[英]Owin WebAPI Bearer Token pass though
问题描述
I am using the OAuth bearer token authentication flow in my OWIN / web API / AngularJS application. 
我在我的OWIN / web API / AngularJS应用程序中使用OAuth承载令牌认证流程。
What I want to do is reuse the bearer token on the server and pass it on to a 2nd web API service (another service on another server which is also protected by bearer tokens and uses the same machine key). 我想要做的是在服务器上重用承载令牌并将其传递给第二个Web API服务(另一个服务器上的另一个服务,该服务也受到承载令牌的保护并使用相同的机器密钥)。 I know how to create a bearer token in C# and add it to the header of the request with HTTPClient - but how do I just use the bearer token I already have (passed in by the browser request)? 我知道如何在C#中创建一个承载令牌并使用HTTPClient将其添加到请求的标头中 - 但是我如何使用我已经拥有的承载令牌(通过浏览器请求传入)? is this possible? 这可能吗?
1 个解决方案
解决方案1
1 2015-09-28 16:06:21
Technically it is possible, but rarely a good idea. 从技术上讲,这是可能的,但很少有好主意。 You would not normally pass it through, given that this would expose your backend API to man in the middle attacks. 你通常不会通过它,因为这会在中间攻击中将你的后端API暴露给人。 In the canonical approach you would use the access token you received to go back to the authority and request a new token, this time scoped for your backend. 在规范方法中,您将使用您收到的访问令牌返回到权限并请求新令牌,这次是针对您的后端。 See https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof for one example. 有关示例,请参阅https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.