[英]Basic Angular SPA connected with .NET Web API - implement SSO
I Will try to describe this as detailed as possible.我将尝试尽可能详细地描述这一点。
For using the SPA, you need to be logged-in, every request is authenticated by JWT.要使用 SPA,您需要登录,每个请求都经过 JWT 的身份验证。 Login is a simple form with Username and Password fields, which are sent to the server.
登录是一个简单的表单,其中包含用户名和密码字段,它们被发送到服务器。 On the server, there are two types of login (kinda) - AD and Password (determinated by the user type):
在服务器上,有两种类型的登录(有点) - AD 和密码(由用户类型决定):
This App is available all over the internet, not just inside the same network as the server.此应用程序可在整个互联网上使用,而不仅仅是在与服务器相同的网络内。
I would like to have some kind of "automatic login" with Windows account (so you dont need to manually type the username/pass, but the SPA tries to login automatically when u open the Login page).我想使用 Windows 帐户进行某种“自动登录”(因此您不需要手动输入用户名/密码,但是当您打开登录页面时 SPA 会尝试自动登录)。
I tried many guides for something like this, but nothing seems to work properly.我为这样的事情尝试了很多指南,但似乎没有任何工作正常。
I heard that Kerberos/Auth0 should do the work, but I dont know how to implement it.我听说 Kerberos/Auth0 应该做的工作,但我不知道如何实现它。 Also I would still need to get that JWT for further requests.
此外,我仍然需要获得 JWT 以获得进一步的请求。 Do I need some kind of Microsoft request?
我需要某种 Microsoft 请求吗? Azure?
Azure? Anything else?
还要别的吗? (If is needed, I can create another IIS application just with Login controller).
(如果需要,我可以使用登录控制器创建另一个 IIS 应用程序)。
I hope you understand what I mean, and will be able to help!我希望你明白我的意思,并能提供帮助!
Most Modern Browsers speak SPNEGO 大多数现代浏览器都使用SPNEGO
Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), often pronounced "spenay-go", is a GSSAPI "pseudo mechanism" used by client-server software to negotiate the choice of security technology.
简单且受保护的 GSSAPI 协商机制 (SPNEGO),通常发音为“spenay-go”,是客户端-服务器软件用来协商安全技术选择的 GSSAPI“伪机制”。
It just so happens that one of those client-server security technologies it can speak is Kerberos.碰巧它可以使用的客户端-服务器安全技术之一就是 Kerberos。 ( Windows machines generally have kerberos availble by default .).
( Windows 机器通常默认有 kerberos 可用。)。
So to actually get .NET to use kerberos authentication you really need to enable delegation for IIS as that's what speaks to the browser.因此,要真正让 .NET 使用 kerberos 身份验证,您确实需要为 IIS 启用委派,因为这就是浏览器的意思。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.