简体繁体 English

ASP.NET 核心 MVC/WebAPI 认证方案加匿名

[英]ASP.NET Core MVC/WebAPI Authentication Schemes plus Anonymous

原文 2019-11-21 20:49:06 5 1 c#/ asp.net/ asp.net-mvc

I'm having an issue with a website plus API I'm writing.我在写一个网站和 API 时遇到问题。 These are in the same project, if that matters.如果重要的话，这些都在同一个项目中。

Reduced to its simplest form, it's a catalogue website and API.简化为最简单的形式，它是一个目录网站和 API。 You have products in a database and pages which display product information.您在数据库中有产品和显示产品信息的页面。 You also have other pages which allow editing this information and adding new products, etc.您还有其他页面允许编辑此信息和添加新产品等。

There are three ways you can do this:您可以通过三种方式执行此操作：

Anonymous users can list products and view public information about them on the website.匿名用户可以在网站上列出产品并查看有关它们的公共信息。
Signed-in users can list, view (including private info), edit, create and delete products on the website.登录用户可以在网站上列出、查看（包括私人信息）、编辑、创建和删除产品。
Users with a valid API key can list, view (including private info), edit, create and delete products using the API.拥有有效 API 密钥的用户可以使用 API 列出、查看（包括私人信息）、编辑、创建和删除产品。

The problem I'm having is that the website uses AJAX calls to the API, and these only work if the user of the website is authenticated.我遇到的问题是该网站使用 AJAX 调用 API，并且这些仅在网站用户经过身份验证时才有效。 Calling the API without an authentication cookie or an API key fails by design.在没有身份验证 cookie 或 API 密钥的情况下调用 API 会因设计而失败。

What would be the recommended way of identifying the unauthenticated website to the back-end API in a secure way that allows it to work?以允许其工作的安全方式将未经身份验证的网站识别到后端 API 的推荐方法是什么？

The ideas I've had include:我的想法包括：

A special API key for the website, but it would by necessity be visible to the world at large somewhere in the Javascript code and therefore something someone could use to access the API themselves and bypass any rate limiting I wanted to implement.该网站的特殊 API 密钥，但它必然会在 Javascript 代码中的某个地方对整个世界可见，因此有人可以使用它来访问 API 自己并绕过任何速率限制。
I considered setting something in the session on the web controllers which could then be verified in the API controllers, but I encountered issues where unauthenticated calls to the API redirect to the login page on the Account controller, which then sets the relevant session variable, which means subsequent API calls succeed whether legitimately authenticated or not. I considered setting something in the session on the web controllers which could then be verified in the API controllers, but I encountered issues where unauthenticated calls to the API redirect to the login page on the Account controller, which then sets the relevant session variable, which意味着后续的 API 调用无论是否经过合法身份验证都会成功。 This seems like the most promising option, but I'm not familiar enough with ASP.NET Core's workings to make it robust.这似乎是最有希望的选择，但我对 ASP.NET Core 的工作原理不够熟悉，无法使其健壮。

1 个解决方案

You should use Jason Web Token Authentication, to implement one in your API please check the following the link:您应该使用 Jason Web 令牌身份验证，在您的 API 中实施一个，请检查以下链接：

https://medium.com/@adegokesimi/implementing-jwt-and-refresh-token-in-net-core-2-2-web-api-b21ef6de2a19 https://medium.com/@adegokesimi/implementing-jwt-and-refresh-token-in-net-core-2-2-web-api-b21ef6de2a19

By using JWT authentication in the pipe line of your WebApi your problem will be solved.通过在 WebApi 的 pipe 行中使用 JWT 身份验证，您的问题将得到解决。

Also, you can use a ASP.NET Core identity system for things like roles that can be implemented on specific controller methods, for example, "EDIT" can be allowed only to role admin, etc.此外，您可以将 ASP.NET 核心身份系统用于可以在特定 controller 方法上实现的角色之类的事情，例如，“编辑”只能允许角色管理员等。

Kind regards, .js亲切的问候，.js