[英]MVC + WebApi. Authorization and Authentication
I have an ASP.NET MVC project and a Web Api project (separate projects). 我有一个ASP.NET MVC项目和一个Web Api项目(单独的项目)。 Access to the database is fully realized through Web Api (including authorization and authentication). 通过Web Api完全实现对数据库的访问(包括授权和身份验证)。 ASP.NET MVC is a client, Web Api is a server. ASP.NET MVC是客户端,Web Api是服务器。
So, how to correctly implement authorization and authentication in the ASP.NET MVC project (on the client side)? 因此,如何在ASP.NET MVC项目中(在客户端)正确地实现授权和身份验证? I read a lot how this is implemented in Web Api (through a token), but I can not understand how to correctly use this token in ASP.NET MVC. 我读了很多文章(通过令牌)如何在Web Api中实现它,但是我不明白如何在ASP.NET MVC中正确使用此令牌。
Realize wrap for each request? 实现每个请求的包装? I also do not know how to define the user role in ASP.NET MVC. 我也不知道如何在ASP.NET MVC中定义用户角色。 Maybe there is some way to rewrite standard methods of ASP.NET MVC authorization to work with the Web Api token? 也许有某种方法可以重写ASP.NET MVC授权的标准方法以与Web Api令牌一起使用? Will the Authorize
attributes on the ASP.NET MVC client side work? ASP.NET MVC客户端上的Authorize
属性可以工作吗? Suggest please in an example of such an implementation if possible, or tell me how best to implement it. 如果可能的话,请在示例中提出建议,或者告诉我如何最好地实施。
I would recommend you to use OWIN
interface to implement token based authentication for web api and MVC. 我建议您使用OWIN
接口为Web api和MVC实施基于令牌的身份验证。 You should provide authentication token in your web api and give ability to deserialize the token in MVC and Web Api. 您应该在Web api中提供身份验证令牌,并具有在MVC和Web Api中反序列化令牌的功能。 So, you can find an example open source project here which I developed it about how can you implement token based authentication with OWIN
for Web api. 因此,您可以在此处找到一个示例开源项目,该项目由我开发,涉及如何使用OWIN
for Web api实现基于令牌的身份验证。
For MVC project, you should follow the same practice by using OWIN
. 对于MVC项目,应使用OWIN
遵循相同的做法。
First of all if you are not in production yet, it might be time to jump to .Net Core 2.x. 首先,如果您还没有投入生产,可能是时候跳转到.Net Core 2.x了。 It does not separate Web API and MVC underground and it's up to date technology. 它不会将Web API和MVC分开,并且是最新技术。
If, for some reason, you can't upgrade the framework, then yes, employ Microsoft.Owin, Microsoft.Owin.Security.OpenIdConnect and all the dependencies. 如果由于某种原因而无法升级框架,请使用Microsoft.Owin,Microsoft.Owin.Security.OpenIdConnect和所有依赖项。
OIdC defines two types of tokens: Identity token , describing a user and Authorization token , giving access to API. OIdC定义了两种类型的令牌: 身份令牌 (描述用户)和授权令牌 (提供对API的访问)。 There should be some Identity Provider in the system, authenticating users and authorizing clients (such as your MVC APP). 系统中应该有一些身份提供者 ,用于认证用户并授权客户端(例如您的MVC APP)。 Such provider could be external (Google, Office 365 etc), or internal -- you can use free Identity Server 4.x
implementation and adjust it to feet your needs. 此类提供程序可以是外部的(Google,Office 365等),也可以是内部的-您可以使用免费的Identity Server 4.x
实施并根据需要进行调整。 You could even build the IdP into your app. 您甚至可以将IdP内置到您的应用程序中。
The flow for both .Net Core and Owin OIdC implementations should be identical: .Net Core和Owin OIdC实施的流程应相同:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.