[英]Authorising users in an ASP.NET (MVC5) web api project
Ok, so I'm struggling a little bit with trying to get a authentication process in my ASP.NET MVC5 (Web API 2) project.好的,所以我在尝试在我的 ASP.NET MVC5(Web API 2)项目中获得身份验证过程时有点挣扎。 To start, here are some requirements:
首先,这里有一些要求:
<Authorize>
attributes to help with protecting other endpoints<Authorize>
属性来帮助保护其他端点(note that there are lots of reasons why I can't change the above) (请注意,我无法更改上述内容的原因有很多)
I've tried to do this with Owin (OAuth) but I've found the following issues when comparing this to the requirements:我曾尝试使用 Owin (OAuth) 执行此操作,但在将其与要求进行比较时发现以下问题:
I am happy to move away from OAuth if that is the best way to go for what I want.如果这是我想要的最佳方式,我很高兴离开 OAuth。 I would prefer to use Microsoft built nuget packages (ie no third party solutions) or I'm happy to partially roll my own solution (I would like to leverage as much of in-built or Microsoft built code, including Identity and Claims as possible so I can minimise testing efforts).
我更喜欢使用 Microsoft 构建的 nuget 包(即没有第三方解决方案),或者我很乐意部分推出我自己的解决方案(我想尽可能多地利用内置或 Microsoft 构建的代码,包括身份和声明所以我可以最大限度地减少测试工作)。
I have read numerous StackOverflow questions about this and search heaps on the internet, but most articles stick with OAuth despite the above issues or they rely on EntityFramework.我已经阅读了许多关于此的 StackOverflow 问题并在互联网上搜索了大量内容,但尽管存在上述问题,但大多数文章仍坚持使用 OAuth,或者它们依赖于 EntityFramework。 My current solution uses the code from here (pretty much copy/pasted with some custom code in ApplicationOAuthProvider.GrantResourceOwnerCredentials()): https://www.codeproject.com/Articles/1187872/Token-Based-Authentication-for-Web-API-where-Legac
我当前的解决方案使用这里的代码(几乎复制/粘贴了 ApplicationOAuthProvider.GrantResourceOwnerCredentials() 中的一些自定义代码): https : //www.codeproject.com/Articles/1187872/Token-Based-Authentication-for-Web- API-where-Legac
Thanks for the help!谢谢您的帮助!
I did some more extensive research and it looks like OAuth is not applicable for my specific situation.我做了一些更广泛的研究,看起来 OAuth 不适用于我的特定情况。 Although it seems like a nice authentication method, I really need to invalidate tokens via the DB, and I need the API to always send/receive XML (these are apparently not applicable when using OAuth).
尽管这看起来是一种不错的身份验证方法,但我确实需要通过数据库使令牌无效,并且我需要 API 始终发送/接收 XML(这些在使用 OAuth 时显然不适用)。
To solve these problems, I have rolled my own token-based solution that creates a hashed token on the client side, so I never send passwords over the wire (which is a little bit nicer) because the token is generated on the client side (note that I am controlling what happens on the client side - these are all in house clients and I am writing the libraries these clients will use).为了解决这些问题,我推出了自己的基于令牌的解决方案,在客户端创建一个散列令牌,所以我从不通过网络发送密码(这更好一点),因为令牌是在客户端生成的(请注意,我正在控制客户端发生的事情 - 这些都是内部客户端,我正在编写这些客户端将使用的库)。 This involved me creating my own filter which inherits
System.Web.Http.AuthorizeAttribute
.这涉及我创建自己的过滤器,它继承了
System.Web.Http.AuthorizeAttribute
。
If anyone stumbles across this question and provides a really good answer, I'm more than happy to mark theirs as accepted.如果有人偶然发现了这个问题并提供了一个非常好的答案,我很乐意将他们的答案标记为已接受。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.