简体繁体 English

asp.net核心/ openiddict和客户端spa具有自定义权限的授权

[英]asp.net core / openiddict & client spa Authorization with custom permissions

原文 2016-11-30 18:55:39 6 1 asp.net-core/ openiddict

I need some help in understanding a basic thing or two with Token-based authentication. 我需要一些帮助，以了解基于令牌的身份验证的一两个基本知识。 My setup is a backend asp.net core app with openiddict for token auth. 我的设置是一个后端asp.net核心应用，带有openiddict用于令牌认证。 It's all working well so far - I now need to add user-permissions. 到目前为止，一切运行良好-我现在需要添加用户权限。 I will have a lot of them (eg User can view xy, user can edit xy, user can delete xy, with many different xy-components). 我将有很多（例如，用户可以查看xy，用户可以编辑xy，用户可以删除xy，以及许多不同的xy组件）。 Backend is working well so far, my problem is now: How to get these permissions via token to my client side app.. 到目前为止，后端运作良好，现在的问题是：如何通过令牌向我的客户端应用程序获取这些权限。

As far as I understood these are not classical "claims" as a claim would describe "who" you are rather "what you are allowed to do" . 据我了解，这些不是经典的“要求”，因为要求将描述“您”是“谁”，而是“被允许做什么”。 Right? 对？
But how can I pack them into my id_token/ How can I add them to my payload? 但是，如何将它们打包到我的id_token /中，如何将它们添加到我的有效载荷中？
Second thing: Do I need to validate the token (signature) in my case? 第二件事：我需要验证令牌（签名）吗？ Every Api-request ist validated at server side, so basically I don't need to care if my client side permissions are tempered with, right? 每个Api请求专家都在服务器端进行了验证，因此基本上我不需要关心客户端的权限是否受到限制，对吗？ (As they are only for UI-Display purposes) （因为它们仅用于UI显示目的）

Thanks for your help! 谢谢你的帮助！

1 个解决方案

As far as I understood these are not classical "claims" as a claim would describe "who" you are rather "what you are allowed to do" . 据我了解，这些不是经典的“要求”，因为要求将描述“您”是“谁”，而是“被允许做什么”。 Right? 对？

In theory, nothing prevents you from representing permissions as claims, just like you'd do with roles or any other claim. 从理论上讲，没有什么可以阻止您将权限表示为声明，就像处理角色或任何其他声明一样。 In practice tho', it's rarely the best approach, because the number of actions a user can do is usually important (and often unlimited: can the user A update the product 124? And this other product?). 在实践中，这很少是最好的方法，因为用户可以执行的操作数量通常很重要（并且通常是无限的：用户A可以更新产品124吗？还有其他产品吗？）。

A possible alternative is to catch the 403 responses returned by your API when a user is not allowed to execute a specific action so you can display an adequate error message. 一种可能的替代方法是在不允许用户执行特定操作时捕获API返回的403响应，以便您可以显示适当的错误消息。 Another one is to create an API endpoint that dynamically determines whether a user is allowed to execute the action, according to your own policy. 另一个方法是创建一个API终结点，该终结点根据您自己的策略动态确定是否允许用户执行该操作。

Second thing: Do I need to validate the token (signature) in my case? 第二件事：我需要验证令牌（签名）吗？ Every Api-request ist validated at server side, so basically I don't need to care if my client side permissions are tempered with, right? 每个Api请求专家都在服务器端进行了验证，因此基本上我不需要关心客户端的权限是否受到限制，对吗？ (As they are only for UI-Display purposes) （因为它们仅用于UI显示目的）

Both access tokens and identity tokens are digitally signed, so they can't be tempered with (at least, not easily). 访问令牌和身份令牌都经过数字签名，因此（至少，不容易）不能对其进行调整。 You don't need to validate signatures yourself, as it's already done by the validation/JWT middleware. 您不需要自己验证签名，因为验证/ JWT中间件已经完成了签名。