堆栈内存溢出
  简体   繁体   English

Rest API身份验证机制,该怎么办

[英]Rest API authentication mechanism, what to do

 原文  2016-02-26 01:52:54       api/ authentication/ authorization/ asp.net-web-api2/ restful-authentication

问题描述

I've been reading a lot lately about WEB API authentication mechanisms and I'm a little bit confused regarding how to implement my Web API authentication mechanism, I'm thinking on using Token based authentication but I'm not sure if it is the right choice. 我最近阅读了很多有关WEB API身份验证机制的信息,对于如何实现我的Web API身份验证机制有些困惑,我在考虑使用基于令牌的身份验证,但不确定是否是基于令牌的身份验证。正确的选择。

Basically my Web API will manage all the operations needed and it will store the users of my website as well the API users(in case they have to be separated). 基本上,我的Web API将管理所有需要的操作,它将存储我网站的用户以及API用户(以防他们必须分开)。

I want to support the following 我想支持以下

User can register on my website and apps using their G+ or Facebook account or an already created username from my service, as well they will be to login using their social account. 用户可以使用其G +或Facebook帐户或通过我的服务已创建的用户名在我的网站和应用上注册,他们也将使用其社交帐户登录。 If the user is not logged in they won't be able to post Items but they will be able to see the Items, think something like Craiglist. 如果用户未登录,则他们将无法发布商品,但可以看到商品,请考虑使用Craiglist之类的方法。 Let's say the user is a developer and they want to post the items through some software they created instead of going through the website and posting one item at a time, how do I allow this? 假设用户是开发人员,他们想通过自己创建的某些软件来发布商品,而不是一次浏览网站并一次发布一个商品,我该如何允许? Now, my questions are: 1) When a user registers on my website, do I have to create a (public key/ secret key) for it subsequent access token , so I can use my API from the website as the user checking if they have access to certain endpoints? 现在,我的问题是:1)当用户在我的网站上注册时,是否需要为其后续访问令牌创建一个(公共密钥/私有密钥),所以我可以使用该网站上的API作为用户检查是否可以访问某些端点?

2) Do I have to assign a (public key / secret key) for my website so I can consume the API when the user is not logged in? 2)我是否必须为我的网站分配一个(公共密钥/私有密钥),以便在用户未登录时可以使用该API?

3) The same as above for mobile apps 3)与上述移动应用程序相同

4) How do I allow users to (sign up / sign in) using G+ or Facebook?, if they log in using any social network how am I going to secure my api? 4)如何允许用户使用G +或Facebook(登录/登录)?如果他们使用任何社交网络登录,我将如何保护我的api?

Please, any answer will be really appreciated. 请,任何答案将不胜感激。

Thanks 谢谢

2 个解决方案

解决方案1
 0  2016-02-26 16:45:20

Follow this tutorial for most of your requirements http://bitoftech.net/2015/01/21/asp-net-identity-2-with-asp-net-web-api-2-accounts-management/ Logging in via facebook/G+ MVC already has the helpers commented out. 请按照本教程的大部分要求进行操作http://bitoftech.net/2015/01/21/asp-net-identity-2-with-asp-net-web-api-2-accounts-management/通过Facebook登录/ G + MVC已经使助手注释掉了。 You would get the credentials by setting up key's via the third party apps and then store the identity. 您将通过第三方应用程序设置密钥来获取凭据,然后存储身份。

解决方案2
 0 已采纳  2016-03-14 22:16:52

For ASP.NET Web API 2, I would recommend you to use the default Owin OAuth2 authentication. 对于ASP.NET Web API 2,建议您使用默认的Owin OAuth2身份验证。 It's a standard form of authentication well documented enough. 这是一种标准的身份验证形式,有据可查。 If you do not have enough knowledge about OAuth2, read the RFC . 如果您对OAuth2不够了解,请阅读RFC

With Web API 2, ASP.NET moved to a new security model, called ASP.NET Identity . 随着Web API 2的出现,ASP.NET转移到一个新的安全模型,称为ASP.NET Identity There is this really good video that explains the basics. 这是一个非常好的视频 ,介绍了基本知识。 The point is that starts from scratch, ignoring traditional basic, forms, or windows authentication. 关键是从头开始,忽略了传统的基本身份验证,窗体身份验证或Windows身份验证。

A lot of learning material is on the ASP.NET website . ASP.NET 网站上有很多学习资料。 For local, individual accounts (questions #1, #2, and #3), look through this tutorial - here basically your own server will act as an OAuth authorization server, and the Owin OAuth2 implementation will take care of generating access token and authenticating them. 对于本地个人帐户(问题#1,#2和#3),请通读本教程 -在这里,基本上您自己的服务器将充当OAuth授权服务器,而Owin OAuth2实现将负责生成访问令牌并进行身份验证他们。 Since you'll be using the OAuth 2 standard, it will be basically the same for mobile as well. 由于您将使用OAuth 2标准,因此在移动设备上也基本相同。

For external accounts (question #4), read through this tutorial . 对于外部帐户(问题4),请通读本教程 There are official libraries for third-party authentication for the major providers: 有主要提供商的第三方身份验证官方库:

  • Microsoft.Owin.Security.Facebook Microsoft.Owin.Security.Facebook
  • Microsoft.Owin.Security.Google Microsoft.Owin.Security.Google
  • Microsoft.Owin.Security.Twitter Microsoft.Owin.Security.Twitter
  • Microsoft.Owin.Security.MicrosoftAccount Microsoft.Owin.Security.MicrosoftAccount

It would helpful to also learn more and understand the new OWIN specification, that describes how web apps need to created for the .NET framework, and the Katana project (Microsoft's OWIN implementation). 进一步了解和了解新的OWIN规范(将描述如何为.NET框架以及Katana项目(Microsoft的OWIN实现)创建Web应用程序)也将有所帮助。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 对于 REST API,我可以使用 flask-login 提供的身份验证机制,还是必须明确使用基于令牌的身份验证,如 JWT? - For a REST API, can I use authentication mechanism provided by flask-login or do I explicitly have to use token based authentication like JWT? IBM Watson Q and A服务的正确REST API和身份验证是什么? - What is the correct REST API and authentication for IBM Watson Q and A service? Magento REST api身份验证 - Magento REST api authentication PHP rest API身份验证 - PHP rest API authentication Flutter rest api认证 - Flutter rest api authentication REST API身份验证 - 这是否足够? - REST API authentication - Will this be sufficient? REST API上的CakePHP身份验证 - CakePHP Authentication on REST API cakephp rest api和身份验证 - cakephp rest api and authentication REST API 身份验证无状态 - REST API Authentication stateless REST API身份验证令牌 - REST API authentication tokens
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM