简体繁体 English

基本 Angular SPA 与 .NET Web ZDB974238714CA8DE634A7CE1SSOD083A14FZ 连接 - 实现

[英]Basic Angular SPA connected with .NET Web API - implement SSO

原文 2022-01-12 15:28:18 4 1 c#/ .net/ angular/ authentication/ kerberos

I Will try to describe this as detailed as possible.我将尝试尽可能详细地描述这一点。

For using the SPA, you need to be logged-in, every request is authenticated by JWT.要使用 SPA，您需要登录，每个请求都经过 JWT 的身份验证。 Login is a simple form with Username and Password fields, which are sent to the server.登录是一个简单的表单，其中包含用户名和密码字段，它们被发送到服务器。 On the server, there are two types of login (kinda) - AD and Password (determinated by the user type):在服务器上，有两种类型的登录（有点） - AD 和密码（由用户类型决定）：

API check if username exists and determine its Type API 检查用户名是否存在并确定其类型
a) if type is Password: Check if password matches the data in Database a) 如果类型是密码：检查密码是否与数据库中的数据匹配
b) if type is AD: verify password on the LDAP server b) 如果类型是 AD：在 LDAP 服务器上验证密码
successful login returns generated JWT, which is used for all further requests.成功登录返回生成的 JWT，用于所有进一步的请求。

This App is available all over the internet, not just inside the same network as the server.此应用程序可在整个互联网上使用，而不仅仅是在与服务器相同的网络内。

I would like to have some kind of "automatic login" with Windows account (so you dont need to manually type the username/pass, but the SPA tries to login automatically when u open the Login page).我想使用 Windows 帐户进行某种“自动登录”（因此您不需要手动输入用户名/密码，但是当您打开登录页面时 SPA 会尝试自动登录）。

I tried many guides for something like this, but nothing seems to work properly.我为这样的事情尝试了很多指南，但似乎没有任何工作正常。

I heard that Kerberos/Auth0 should do the work, but I dont know how to implement it.我听说 Kerberos/Auth0 应该做的工作，但我不知道如何实现它。 Also I would still need to get that JWT for further requests.此外，我仍然需要获得 JWT 以获得进一步的请求。 Do I need some kind of Microsoft request?我需要某种 Microsoft 请求吗？ Azure? Azure？ Anything else?还要别的吗？ (If is needed, I can create another IIS application just with Login controller). （如果需要，我可以使用登录控制器创建另一个 IIS 应用程序）。

I hope you understand what I mean, and will be able to help!我希望你明白我的意思，并能提供帮助！

1 个解决方案

Most Modern Browsers speak SPNEGO 大多数现代浏览器都使用SPNEGO

Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), often pronounced "spenay-go", is a GSSAPI "pseudo mechanism" used by client-server software to negotiate the choice of security technology.简单且受保护的 GSSAPI 协商机制 (SPNEGO)，通常发音为“spenay-go”，是客户端-服务器软件用来协商安全技术选择的 GSSAPI“伪机制”。

It just so happens that one of those client-server security technologies it can speak is Kerberos.碰巧它可以使用的客户端-服务器安全技术之一就是 Kerberos。 ( Windows machines generally have kerberos availble by default .). （ Windows 机器通常默认有 kerberos 可用。）。

So to actually get .NET to use kerberos authentication you really need to enable delegation for IIS as that's what speaks to the browser.因此，要真正让 .NET 使用 kerberos 身份验证，您确实需要为 IIS 启用委派，因为这就是浏览器的意思。