MVC + WebApi。 授权与认证
[英]MVC + WebApi. Authorization and Authentication
问题描述
I have an ASP.NET MVC project and a Web Api project (separate projects). 
我有一个ASP.NET MVC项目和一个Web Api项目(单独的项目)。 Access to the database is fully realized through Web Api (including authorization and authentication). 通过Web Api完全实现对数据库的访问(包括授权和身份验证)。 ASP.NET MVC is a client, Web Api is a server. ASP.NET MVC是客户端,Web Api是服务器。
So, how to correctly implement authorization and authentication in the ASP.NET MVC project (on the client side)? 因此,如何在ASP.NET MVC项目中(在客户端)正确地实现授权和身份验证? I read a lot how this is implemented in Web Api (through a token), but I can not understand how to correctly use this token in ASP.NET MVC. 我读了很多文章(通过令牌)如何在Web Api中实现它,但是我不明白如何在ASP.NET MVC中正确使用此令牌。
Realize wrap for each request? 实现每个请求的包装? I also do not know how to define the user role in ASP.NET MVC. 我也不知道如何在ASP.NET MVC中定义用户角色。 Maybe there is some way to rewrite standard methods of ASP.NET MVC authorization to work with the Web Api token? 也许有某种方法可以重写ASP.NET MVC授权的标准方法以与Web Api令牌一起使用? Will the Authorize attributes on the ASP.NET MVC client side work? ASP.NET MVC客户端上的Authorize属性可以工作吗? Suggest please in an example of such an implementation if possible, or tell me how best to implement it. 如果可能的话,请在示例中提出建议,或者告诉我如何最好地实施。
3 个解决方案
解决方案1
0 2018-05-27 09:16:03
解决方案2
0 2018-05-27 09:36:33
I would recommend you to use OWIN interface to implement token based authentication for web api and MVC. 我建议您使用OWIN接口为Web api和MVC实施基于令牌的身份验证。 You should provide authentication token in your web api and give ability to deserialize the token in MVC and Web Api. 您应该在Web api中提供身份验证令牌,并具有在MVC和Web Api中反序列化令牌的功能。 So, you can find an example open source project here which I developed it about how can you implement token based authentication with OWIN for Web api. 因此,您可以在此处找到一个示例开源项目,该项目由我开发,涉及如何使用OWIN for Web api实现基于令牌的身份验证。
For MVC project, you should follow the same practice by using OWIN . 对于MVC项目,应使用OWIN遵循相同的做法。
解决方案3
0 2018-06-15 17:38:17
First of all if you are not in production yet, it might be time to jump to .Net Core 2.x. 首先,如果您还没有投入生产,可能是时候跳转到.Net Core 2.x了。 It does not separate Web API and MVC underground and it's up to date technology. 它不会将Web API和MVC分开,并且是最新技术。
If, for some reason, you can't upgrade the framework, then yes, employ Microsoft.Owin, Microsoft.Owin.Security.OpenIdConnect and all the dependencies. 如果由于某种原因而无法升级框架,请使用Microsoft.Owin,Microsoft.Owin.Security.OpenIdConnect和所有依赖项。
OIdC defines two types of tokens: Identity token , describing a user and Authorization token , giving access to API. OIdC定义了两种类型的令牌: 身份令牌 (描述用户)和授权令牌 (提供对API的访问)。 There should be some Identity Provider in the system, authenticating users and authorizing clients (such as your MVC APP). 系统中应该有一些身份提供者 ,用于认证用户并授权客户端(例如您的MVC APP)。 Such provider could be external (Google, Office 365 etc), or internal -- you can use free Identity Server 4.x implementation and adjust it to feet your needs. 此类提供程序可以是外部的(Google,Office 365等),也可以是内部的-您可以使用免费的Identity Server 4.x实施并根据需要进行调整。 You could even build the IdP into your app. 您甚至可以将IdP内置到您的应用程序中。
The flow for both .Net Core and Owin OIdC implementations should be identical: .Net Core和Owin OIdC实施的流程应相同:
- You register all your apps (API and MVC in Identity provider) 您注册了所有应用程序(Identity provider中的API和MVC)
- User requests an MVC resource, OIdC middleware redirects him to IdP. 用户请求MVC资源,OIdC中间件将其重定向到IdP。
- IdP authenticates the user issuing identity and access tokens. IdP对发出身份和访问令牌的用户进行身份验证。
- MVC validates the Identity token and uses it to create a local Authentication cookie, so the user becomes authenticated in the app. MVC会验证身份令牌并使用它来创建本地身份验证cookie,以便使用户在应用程序中得到身份验证。
- MVC controller calls some API and put into the request access token, requested from IdP. MVC控制器调用一些API,并将其放入IdP请求的请求访问令牌中。
- API validates the token and responds with requested data. API会验证令牌并使用请求的数据进行响应。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.