[英]How do I call my role-based authorized web API from another app?
I have a web API that utilizes role authorization ( ex: [Authorize(Roles="test")]
) for each controller and action. 我有一个Web API,它为每个控制器和操作利用角色授权(例如:
[Authorize(Roles="test")]
)。
This API is meant to be a stand alone app with no actual MVC site for it, so there is no login method. 该API旨在成为一个独立的应用,没有实际的MVC网站,因此没有登录方法。
So let's say I have a separate " Students " app that needs to display a list of all current students in the school. 假设我有一个单独的“ 学生 ”应用,该应用需要显示学校中所有当前学生的列表。 In the API, I have a role-based authorized method that retrieves all current students from the database.
在API中,我有一个基于角色的授权方法,该方法从数据库中检索所有当前的学生。 How would I be able to call that API call from the " Students " app (which is on the same domain) if it's authorized?
如果获得授权,我该如何从“ Students ”应用程序(位于同一域)调用该API调用?
Is there anyway I can spoof the " Students " app to run under one of the authorized roles? 无论如何,我是否可以欺骗“ 学生 ”应用程序以在其中一个授权角色下运行? I don't want to use the roles of the user using the site because only Admins are allowed to execute these API calls.
我不想使用使用该站点的用户角色,因为只允许管理员执行这些API调用。
Look at this tutorial on building an OAuth 2 authorization server . 查看有关构建OAuth 2授权服务器的教程。 You can use the Authorization Code Grant to authenticate your Students MVC app against your API.
您可以使用“授权代码授予”来针对您的API对学生MVC应用进行身份验证。
Building an OAuth server is not a simple task, however. 但是,构建OAuth服务器并不是一件容易的事。 You can look at a complete and secure open source product like IdentityServer to help you implement most of the authorization and authentication logic.
您可以看一下IdentityServer之类的完整且安全的开源产品,以帮助您实现大多数授权和身份验证逻辑。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.