使用 ASP.NET 核心 MVC/Razor 站点和 WebAPI 进行授权
[英]Authorize with both ASP.NET core MVC/Razor site AND a WebAPI
问题描述
I have implemented JWT authentication/authorisation in the API part of my application.
我已经在我的应用程序的 API 部分实现了 JWT 身份验证/授权。 I also have a ASP.NET core MVC website that I would like to authenticate with.我还有一个 ASP.NET 核心 MVC 网站,我想用它进行身份验证。 Is it possible to use the JWT token from the API to authenticate with the website?是否可以使用来自 API 的 JWT 令牌对网站进行身份验证? I would like to prevent users from going to specific locations unless they are authorised, and redirect to the login page if not.我想阻止用户在未经授权的情况下进入特定位置,如果没有,则重定向到登录页面。 All examples I have found show how to do this with either the API (JWT) OR the MVC website (cookies) but not both at the same time.我发现的所有示例都展示了如何使用 API (JWT) 或 MVC 网站 (cookies) 但不能同时使用这两者。
1 个解决方案
解决方案1
3 2020-02-27 12:05:33
Having both handle authentication/Authorization does not make sense to me.同时处理身份验证/授权对我来说没有意义。
Why Authenticating with both MVC app and Web API does not make sense为什么同时使用 MVC 应用程序和 Web API 进行身份验证没有意义
If you want both your API and MVC web app handle authentication and authorizatation both your MVC app and API need the ability to verify the token it recieves and check the roles the user has.如果您希望 API 和 MVC Web 应用程序都处理身份验证和授权,则您的 MVC 应用程序和 API 都需要能够验证它收到的令牌并检查用户拥有的角色。 This would mean you will need to duplicate all the authentication/authorization logic your authentication API has and it would make your API redundant because using the API to only create a token does not make much sense when your MVC app would be handling verifying the token.这意味着您将需要复制您的身份验证 API 具有的所有身份验证/授权逻辑,这会使您的 API 变得多余,因为当您的 MVC 应用程序将处理验证令牌时,使用 API 仅创建令牌没有多大意义。
Recommendation:推荐:
whenever a protected resource is called on your MVC web app, pass the token from your MVC app to your authentication API to verify if the user is authorized to access this resource.每当在您的 MVC Web 应用程序上调用受保护的资源时,将令牌从您的 MVC 应用程序传递到您的身份验证 API 以验证用户是否有权访问此资源。 If the response from your Authentication API is 401 or 403 handle them appropriately (redirect to login).如果来自您的身份验证 API 的响应是 401 或 403,请适当处理它们(重定向到登录)。 If the response is 200 OK then display the resource.如果响应为 200 OK,则显示资源。
Esentially you need to pass the JWT through to the Authentication API for every request that requires authentication and your MVC web app reacts based on the status code returned from the Authentication API本质上,您需要为每个需要身份验证的请求将 JWT 传递给身份验证 API,并且您的 MVC Web 应用程序根据从身份验证 API 返回的状态代码做出反应
Possible implementation可能的实施
A custom Authentication handler could be a good place to handle this.自定义身份验证处理程序可能是处理此问题的好地方。 you can do this by overriding the HandleAuthenticateAsync method in AuthenticationHandler您可以通过覆盖AuthenticationHandler的HandleAuthenticateAsync方法来做到这一点
and then registering your custom authentication and authorisation class in startup.然后在启动时注册您的自定义身份验证和授权类。 Here is a quick sample of how it would look.这是它的外观的快速示例。
public class MyCustomAuthenticationHandler : AuthenticationHandler<AuthenticationSchemeOptions>
{
public PlatformAuthenticationHandler(
IOptionsMonitor<AuthenticationSchemeOptions> options,
ILoggerFactory logger,
UrlEncoder encoder,
ISystemClock clock)
: base(options, logger, encoder, clock)
{
}
protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
{
//Send your request to your API and return either
//AuthenticateResult.Fail
//return AuthenticateResult.Success
}
}
This is the doc for Authorization这是授权文档
https://docs.microsoft.com/en-us/aspnet/core/security/authorization/iauthorizationpolicyprovider?view=aspnetcore-3.1 https://docs.microsoft.com/en-us/aspnet/core/security/authorization/iauthorizationpolicyprovider?view=aspnetcore-3.1
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.