stackoom
  简体   繁体   中英

Accessing/Securing Restful service oAuth2

 原文  2018-01-03 20:10:36       c#/ asp.net-web-api/ oauth-2.0/ identityserver4

Question

I'm trying to write a Restful service which has more than one endpoints like

Assume each endpoint call is secured by a role.

  1. GetEmployees (Role/Claim = Employee.Readonly or Employee.Edit or Employee.Admin)
  2. AddEmployee (Role/Claim = Employee.Edit or Employee.Admin)
  3. UpdateEmployee (Role/Claim = Employee.Edit or Employee.Admin)
  4. DeleteEmployee (Role/Claim = Employee.Admin)

With Implicit flow, it is pretty straight forward just check roles claim and we are done.
My confusion is for client credential flow, how to map scopes to roles here?

1 answers

solution1
 0 ACCPTED  2018-01-03 20:52:33

Lets assume that you have the following situation for the Client Credentials approach: 

var client = new TokenClient(
            BaseAddress + "/connect/token",
            "clientId",
            "clientSecret");

var result = client.RequestClientCredentialsAsync(scope: "my.api").Result;

var accessToken = result.AccessToken;

var client = new HttpClient();
client.SetBearerToken(accessToken);
var result = client.GetStringAsync("https://protectedapiaddress/api/data/getdata").Result;

Where BaseAddress is your IDS address.

Of course you will have to register your client in the IDS clients list with the appropriate flow (Client Credentials), and the scope is just optional, but I guess you will need one.

Then on the API side you can use the newly Policy-based authorization .

API method: 

[HttpGet]
[Authorize(Policy = "AdminUser")]
[Route("getdata")]
public Data GetData()
{
  // some code here
}

And the Authorization Requirement: 

public class AdminUserRequirement : AuthorizationHandler<AdminUserRequirement>, IAuthorizationRequirement
{
    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, AdminUserRequirement requirement)
    {
        if (!context.User.HasClaim(<'Your rule'>))
        {
            context.Fail();
        }
        else
        {
            context.Succeed(requirement);
        }
        return Task.FromResult(0);
    }
}

In the claims you will have 

    {
       "scope" : "my.api"
       "clientId" : "clientId"
    }

and more. And then you can apply the rules.

EDIT : Forgot to mention - you have to register the policies in your Startup.cs 

public void ConfigureServices(IServiceCollection services)
{
    services
            .AddMvcCore()
            .AddAuthorization(options =>
            {
                    options.AddPolicy("AdminUser",
                    policy => policy.Requirements.Add(new AdminUserRequirement()));
            });

    // More code here

}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Securing and accessing a .NET core WebApi service using OAuth2 OAuth2 with WCF Service Error 500 with authorization while consuming OAuth2 RESTful service through C# OAuth2 AuthorizationServer and Rest Service DotNetOpenAuth OAuth2 Accessing Extra Data Accessing Microsoft Cognitive Service through Restful Service Google Coordinate OAuth2 with Service Account Securing Back end services in Azure API Management using OAuth2 Client Credentials flow C# HttpWebRequest accessing RESTful web service OAuth2 Authentication for “Google Service” returns “invalid_request”
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM