使用Owin示例的Asp.Net Web Api安全
[英]Asp.Net Web Api security using Owin samples
问题描述
I am working to implement OWIN based authentication and authorization. 
我正在努力实现基于OWIN的身份验证和授权。 Below is how i am planning to implement. 以下是我计划实施的方式。
1) An front end based application with anonymous access with which users can register and it will be in our DB waiting for approval. 1)基于前端的具有匿名访问权限的应用程序,用户可以使用该应用程序进行注册,该应用程序将在我们的数据库中等待批准。 An admin user will review the users and approve them providing the necessary roles. 管理员用户将审核用户并批准他们提供必要的角色。 2) Those users can consume our different apis by passing the credentials to get the response if authorized by the OWIN authorization server. 2)如果由OWIN授权服务器授权,则这些用户可以通过传递凭据以获取响应来使用我们不同的api。 3) The owin authentication/authorization as a separate service so it can be used by multiple applications for authentication/authorization and generating the tokens. 3)OWIN身份验证/授权是一项单独的服务,因此可以被多个应用程序用于身份验证/授权和生成令牌。
My questions are 我的问题是
1) Am I in the right direction and will this approach work? 1)我的方向正确吗?这种方法行得通吗? 2) Is there a sample where these applications are constructed in separate solutions? 2)是否有一个示例,其中这些应用程序是在单独的解决方案中构建的?
All the samples that I am seeing are all using the default template and the sample approach. 我看到的所有样本都使用默认模板和样本方法。 Please help me with any such available sample. 请帮助我提供任何此类可用的示例。
1 个解决方案
解决方案1
0 已采纳 2018-04-18 10:37:12
Basically, i think you are on the right track. 基本上,我认为您的做法正确。 But i did not quite understood your workflow after the user registration. 但是在用户注册后,我不太了解您的工作流程。 When the user is registered and his data is stored in the DB you already should provide him the ability to log in (authentication) - send him a token (bearer/refresh) with some basic claims. 当用户注册并且他的数据存储在数据库中时,您已经应该为他提供登录(身份验证)的能力-向他发送带有一些基本声明的令牌(承载/刷新)。 At the same time, if you need to limit authenticated user abilities to consume your APIs, than you could achieve this by implementing role management (authorization). 同时,如果您需要限制经过身份验证的用户使用API的能力,则可以通过实现角色管理(授权)来实现这一目标。
See this guide about decoupling authorization server from the resource server. 有关将授权服务器与资源服务器解耦的信息,请参阅本指南 。 This link may to seem a little bit old, but provides a working samples/ understanding of a workflow. 该链接似乎有些陈旧,但提供了工作样本/对工作流程的理解。
Also for authentication i would advise you to stick with Json Web Tokens, because they provide a decent way of transfer the state of authenticated user via claims. 另外,对于身份验证,我建议您坚持使用Json Web令牌,因为它们提供了一种通过声明转移身份验证用户状态的不错方法。 See this link. 请参阅此链接。 and this guide . 和本指南 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.