堆栈内存溢出
  简体   繁体   English

如何在没有IIS / WCF的情况下通过REST API调用对Windows用户进行身份验证?

[英]How can I authenticate a windows user over a REST API call without IIS/WCF?

 原文  2016-11-04 11:30:46       c#/ windows/ authentication/ active-directory/ nancy

问题描述

While developing an on-premise, intranet-only REST API server for my company, I managed to completely confuse myself regarding authentication issues. 在为我的公司开发内部部署的仅Intranet REST API服务器时,我设法完全混淆了自己的身份验证问题。

I have :

  • A REST web server implemented in C#, using self-hosted Nancy, running as a Windows Service 一个用C#实现的REST Web服务器,使用自托管Nancy,作为Windows服务运行
  • AC# client that can query the server, run by a user in our company 可以查询服务器的AC#客户端,由我们公司的用户运行

I do not have: 没有

  • Any form of access to our Active Directory and/or domain controller, apart from what any application running under Windows normally has 除了Windows下运行的任何应用程序通常具有的任何形式的访问我们的Active Directory和/或域控制器
  • Any way to influence AD settings or configuration 任何影响AD设置或配置的方法
  • Active Directory Federation Services (ADFS) (I think . We use Windows 7 and Office 2010, just to give some perspective on the state of the software landscape) Active Directory联合身份验证服务(ADFS)(我认为 。我们使用Windows 7和Office 2010,只是为了对软件环境的状态提供一些观点)
  • Azure Active Directory (AAD) Azure Active Directory(AAD)

I want :

  • A way for the server to authenticate that a request is made by a user of our company 服务器验证请求是由我们公司的用户进行的一种方式
    • It is perfectly fine if the client has to sent some additional authentication data with each request, as long as it does not contain the user's password in any form 如果客户端必须为每个请求发送一些额外的身份验证数据,那就完全没问题 ,只要它不包含任何形式的用户密码

I do not want to: 不想

  • Have to set up any additional software (my server must be minimum configuration and maintenance, so the average user can install and run it) 必须设置任何其他软件(我的服务器必须是最低配置和维护,所以普通用户可以安装和运行它)
  • Install / configure / maintain an IIS server (see above) 安装/配置/维护IIS服务器(见上文)
  • Use ASP.net (way too big for my needs, plus see above point(s)) 使用ASP.net(对我的需求来说太大了,加上看上面的点)
  • Handle user passwords in any way (company policy and common sense) 以任何方式处理用户密码(公司政策和常识)
  • Impersonate the user (I only need to validate the authenticity of the request) 冒充用户(我只需要验证请求的真实性)
  • Implement my own user account database. 实现我自己的用户帐户数据库。 We already have half a dozen services that need their own username/password combinations, I do not want to add yet another one 我们已经有六个服务需要他们自己的用户名/密码组合,我不想再添加另一个

I have read articles that show how to use Windows authentication with IIS , or how to use Azure Active Directory (AAD) with Nancy . 我已阅读文章,介绍如何在IIS中使用Windows身份验证 ,或如何在Nancy中使用Azure Active Directory(AAD) Other questions here have already informed me how to authenticate username / password combinations against the Active Directory . 此处的其他问题已经告诉我如何针对Active Directory验证用户名/密码组合 However, none of these satisfy all of my requirements or have requirements of their own (like AAD/ADFS) that I cannot meet. 但是,这些都不能满足我的所有要求,也不能满足我们自己的要求(如AAD / ADFS)。

It seems that Kerberos/SSPI might be what I want, but it seems very involved and quite complicated to get working with C#. 似乎Kerberos / SSPI可能是我想要的,但它似乎非常复杂,并且使用C#非常复杂。 It is possible I will have to go this route, but I could really benefit from some minimal working example (the accepted answer provides a C# implementation/wrapper, including an example project, but I can't seem to be able to make heads or tails of it). 我可能必须走这条路,但我真的可以从一些最小的工作示例中受益(接受的答案提供了一个C#实现/包装器,包括一个示例项目,但我似乎无法做出头或者它的尾巴)。

Maybe I am naive, but what I image the solution to be is something along the following lines: 也许我很天真,但我想要解决的问题是以下几点:

  1. The client queries a service (AD, Domain controller, ...?) for some form of authentication token, using the credentials of the currently logged in user 客户端使用当前登录用户的凭据查询某种形式的身份验证令牌服务(AD,域控制器,......?)
  2. The token is then sent to the server together with the username, as part of the request that needs to be authenticated 然后将令牌与用户名一起发送到服务器,作为需要进行身份验证的请求的一部分
  3. The server extracts the token, and queries the same service (AD, Domain controller, ...) whether the token is authentic, valid and belongs to the user in question 服务器提取令牌,并查询相同的服务(AD,域控制器,...)令牌是否真实,有效并且属于相关用户

Is this possible at all? 这有可能吗? Ideally, with some sort of ready made library that I can plug in to my projects (I'm reaching, I know)? 理想情况下,我可以使用某种现成的库来插入我的项目(我知道了)?

1 个解决方案

解决方案1
 1 已采纳  2016-12-21 19:05:01

You can do this with stateless authentication and Jwt. 您可以使用无状态身份验证和Jwt执行此操作。 Send a username and password to "/ auth" (example) and "/ auth" will search the AD (example) and validate if the user exists, then create a Jwt token with the name of the user on load. 将用户名和密码发送到“/ auth”(示例),“/ auth”将搜索AD(示例)并验证用户是否存在,然后创建一个带有用户名称的Jwt令牌。 When you make a request, you will only send a Jwt token and Nancy validates the token. 当您发出请求时,您只会发送一个Jwt令牌,而Nancy会验证该令牌。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在REST WCF Web API中使用Windows身份验证对用户进行身份验证 - Authenticate User using Windows Authentication in REST WCF Web API 如何在XP中部署没有IIS的WCF服务? - How can I deploy WCF Service without IIS in XP? 如何使用REST Service-wcf WebHttpBindig对用户进行身份验证? - how to authenticate user with rest service-wcf WebHttpBindig? 验证用户并调用 REST API sharepoint 本地使用令牌 - Authenticate user & call REST API sharepoint on-premise using token 在线认证SharePoint REST API 无需用户名和密码 - Authenticate SharePoint online REST API without user name and password 如何在 WCF 服务中调用 REST API? - How to Make REST API call in WCF Service? 如何认证用户? - How can I authenticate a user? 我可以使用IIS的Windows身份验证对TFS进行身份验证吗? - Can I use Windows-Authentification from IIS to authenticate to TFS? 如何在没有任何身份验证的情况下调用 WCF 服务? - How can I call the WCF service without any authentication? 将Windows用户“令牌”传递给WCF进行身份验证 - Passing Windows User 'Token' to WCF to authenticate
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM