mvc和webapi之间的身份验证(单独的域/应用程序)
[英]Authentication between mvc and webapi (Separate domains/Applications)
问题描述
im looking for good ideas/resources/implementations for the following scenario 
我正在为以下场景寻找好的想法/资源/实现
A MVC website at http://mywebsite.com MVC网站http://mywebsite.com
A Webapi REST service at http://myapi.com http://myapi.com上的 Webapi REST服务
IMPORTANT -- Please notice the separate domains/Applications.. 重要信息 - 请注意单独的域/应用程序..
A user logs in at the website and data is fetched from the API via JSONP/CORS 用户登录网站,并通过JSONP / CORS从API获取数据
Obviously i dont want the user to authenticate on the webapi using basic authentication. 显然,我不希望用户使用基本身份验证在webapi上进行身份验证。 But the API is also exposed to Android/IOS apps, so i need the basic auth 但API也暴露于Android / IOS应用程序,所以我需要基本的身份验证
I've thought about returning a token from the MVC site and then writing a DelegatingHandler at the webapi site to authenticate using that token, but i would like some inputs, or perhaps even better solutions 我已经考虑过从MVC站点返回一个令牌,然后在webapi站点写一个DelegatingHandler来使用该令牌进行身份验证,但我想要一些输入,或者甚至更好的解决方案
I made a pretty diagram just for the occation: 我做了一个漂亮的图表只是为了掩盖:
2 个解决方案
解决方案1
9 已采纳 2012-12-10 12:30:08
Although JSONP works also consider using CORS some examples of WebApi implementation here . 尽管JSONP作品也可以考虑使用CORS的WebAPI实现的一些例子在这里 。
Consider following a standard (at least a draft) for your token rather than creating your own. 考虑遵循标记(至少是草稿)而不是创建自己的标记。 Json Web Token (JWT) seem to be a good approach the specification here includes the format and determines the encryption or signing approach. Json Web Token(JWT)似乎是一个很好的方法, 这里的规范包括格式并确定加密或签名方法。 There are libraries to support this kind of token such as the Thinkteckture Identity Model this article covers some of the usage of that library and the JWT. 有一些库可以支持这种令牌,例如Thinkteckture Identity Model, 本文将介绍该库和JWT的一些用法。 Google have a good dev guide here . 谷歌在这里有一个很好的开发指南。
Disclaimer, only consider the above having read about some of the OAuth and JWT standardization criticisms . 免责声明,只考虑以上内容,了解了一些OAuth和JWT标准化批评 。
If you did use a HTTP header, I am not sure you need a custom header (@Vipul) the "Authorization :" header is there for this kind of information. 如果您确实使用了HTTP标头,我不确定您是否需要自定义标头 (@Vipul),“Authorization:”标头用于此类信息。
If you are using a custom token, ensure it has an expiration date, consider using a nonce if you want to protect against replay attacks and sign or encrypt using a well known algorithm. 如果您使用自定义令牌,请确保它具有过期日期,如果您想要防止重放攻击并使用众所周知的算法进行签名或加密,请考虑使用nonce 。
Agree with you that delegating handler is a good place to put token validation. 同意委托处理程序是放置令牌验证的好地方。 An ActionFilter is called much later than necessary in the stack and the middle ground would be to implement System.Web.Http.AuthorizeAttribute . 在堆栈中调用ActionFilter的时间要晚得多 ,中间地带将实现System.Web.Http.AuthorizeAttribute 。
解决方案2
1 2012-12-10 09:18:26
token solution sounds good. 令牌解答听起来不错。
Get the authentication token from MVC application, you can send that token with each API request in some custom header. 从MVC应用程序获取身份验证令牌,您可以在每个自定义标头中发送带有每个API请求的令牌。 Create an ActionFilterAttribute and in OnActionExecuting you can verify the token and act accordingly. 创建一个ActionFilterAttribute,在OnActionExecuting中,您可以验证令牌并采取相应的行动。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.