所谓的“最佳实践" WPF和WCF应用程序的用户身份验证/授权? [英] What is considered "best practice" for user authentication/authorization for WPF and WCF applications?

问题描述

说我有一个.NET富客户端(WPF)应用程序，该应用程序将同时在3种不同的场景中部署:

Say I have a .NET rich client (WPF) application that will be deployed in 3 different scenarios simultaneously:

1. 客户&服务器代码在单个进程中运行
2. 客户端代码在Intranet计算机上运行，​​并通过WCF与运行应用程序/域/基础结构代码的服务器通信
3. 与#2相同，但是客户端可以在防火墙之外的计算机上运行.用户和用户的自定义列表角色应集中维护(即凭据不基于Windows登录)

为该应用程序实现相同的用户授权/身份验证模型的简单，可靠的实践是什么?即，无论我如何部署应用程序，我都希望在表示层，应用程序层，域层等中使用相同的方法.

What is a simple, proven practice for implementing the same user authorization/authentication model for this application? I.e., I want to use the same approach in my presentation layer, application layer, domain layer, etc, regardless of how the application is deployed.

是否应该通过现有的Entity Framework模型在SQL数据库中明确维护用户/角色? Thread.CurrentPrincipal应该是需要授权某些应用程序功能的代码使用的方法，还是应该注入某些IUserService依赖项?

Should users/roles be explicitly maintained in my SQL database via my existing Entity Framework model? Should Thread.CurrentPrincipal be the approach used by code that needs to authorize certain app features, or should some IUserService be dependency-injected?

这是一个低调的应用程序，因此安全性不是至关重要的，它只是基本知识.

This is a low-profile application so security is not of critical importance -- just something basic.

谢谢

花了数小时研究基于WIF/基于声明的身份验证之后，我仍然看不到有关如何创建采用这种安全性的独立.NET桌面应用程序的任何指导.所有讨论均针对ASP.NET或WCF.我需要我的应用程序使用可以在分布式(WCF)和独立部署方案中使用的标准方法

After spending hours researching WIF / claims-based authentication, I still don't see any guidance on how to create a stand-alone .NET desktop application that employs this type of security. All discussions are geared to either ASP.NET or WCF. I need my application to use a standard approach that can be used in both distributed (WCF) and stand-alone deployment scenarios

推荐答案

看看这个.我想这就是您要寻找的东西:

Take a look at this.I presume it's what you're looking for:

https://gist.github.com/stonetip/8745656

var tokenHandler = new JwtSecurityTokenHandler();

        var convertedSecret = EncodeSigningToken(ConfigurationManager.AppSettings["ClientSecret"]);

        // Set the expected properties of the JWT token in the TokenValidationParameters
        var validationParameters = new TokenValidationParameters()
        {
            AllowedAudience = ConfigurationManager.AppSettings["AllowedAudience"],
            ValidIssuer = ConfigurationManager.AppSettings["Issuer"],
            SigningToken = new BinarySecretSecurityToken(convertedSecret)
        };

        Thread.CurrentPrincipal = tokenHandler.ValidateToken(token, validationParameters);

        if (HttpContext.Current != null)
        {
            HttpContext.Current.User = Thread.CurrentPrincipal;
        }

这篇关于所谓的“最佳实践" WPF和WCF应用程序的用户身份验证/授权?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！