stackoom
  简体   繁体   中英

Securing and accessing a .NET core WebApi service using OAuth2

 原文  2016-08-31 14:18:53       c#/ oauth-2.0/ asp.net-core/ .net-core/ asp.net-core-webapi

Question

I have a working Asp.NET core WebApi service and a that can be called from an ASP.NET core MVC application. The service is called using an AutoRest generated wrapper. The service currently has no security layer while the website is secured using OAuth2.

I have added the following to the service: 

public void ConfigureServices(IServiceCollection services)
    {
        // Add framework services.
        services.AddApplicationInsightsTelemetry(Configuration);

        services.AddMvc();

        // NEW Authorisation
        services.AddAuthorization(options =>
        {
            options.AddPolicy("ApiAccess", policy => policy.RequireClaim("email"));
        });

    }

My Controller is secured so: 

[Authorize(Policy = "ApiAccess")]
public class StatusController : Controller

However I get an "Unauthorized" exception when I call the AutoRest wrapper: 

try
        {
            var service = new StatusAPI(new Uri("http://localhost:17237/"));
            ViewData["State"] = service.ApiStatusGet();
        }
        catch (Exception ex)
        {
            ViewData["State"] = new[] { new ServiceStatus { Name = "Health API", Message = "Is unreachable " + ex.Message } };
        }

I'm not sure if the problem lies in that I need a way to pass on the claims in my call to the wrapper or if its in my setup of the service and how it detects the claims.

2 answers

solution1
 0  2016-08-31 17:15:09

Please try specifying the value of the claim like the allowed email address. As suggested here - https://docs.asp.net/en/latest/security/authorization/claims.html

Repeated the code

options.AddPolicy("Founders", policy => policy.RequireClaim("EmployeeNumber", "1", "2", "3", "4", "5"));

solution2
 0  2016-09-03 00:32:29

Autorization cannot be done without authentication. You need to authenticate the user first, then looks at its identity for granting access.

If you have a JWT provided by your OAuth2 AS, you may use the JWT authentication middleware. 

public void ConfigureServices(IServiceCollection services)
{
  // add the authentication dependencies
  services.AddAuthentication();
}

public void Configure(IApplicationBuilder app)
{
  app.UseJwtBearerAuthentication(new JwtBearerOptions
  {
     // configure your JWT authentication here
  });
}

Of course the JWT should contains a "email" claim.

You can look at the ASPNET Core sample : https://github.com/aspnet/Security/blob/dev/samples/JwtBearerSample/Startup.cs#L67

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Accessing/Securing Restful service oAuth2 .Net Core WebApi OAuth2 Grant Types OAuth2 authentication plugin for ServiceStack .NET Core ASP.NET Core OAuth2 implementation using company provider. Exception: The oauth state was missing or invalid OAuth2 WebAPI additional tags Asp-Net-Core WebApi Authentication using Azure ActiveDir oAuth2.0 JWT Token Microsoft Graph Invalid_request, unauthorized_client using OpenId, OAuth2, Cognito, .NET Core 3.1 and Swagger OAuth2 with WCF Service Securing Back end services in Azure API Management using OAuth2 Client Credentials flow Oauth2 login to Google api with ASP .net core MVC
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM