利用Active Directory的REST API的授权方法 [英] Authorization method for REST API utilising Active Directory

问题描述

满足以下要求的最佳方法是保护REST Web API的最佳方法.该系统具有一个Angular JS前端，该前端具有在ASP.net中实现的REST API.

What is the best method of securing a REST Web API with the following requirements. The system has an Angular JS frontend with the REST APIs implemented in ASP.net.

• 系统中有两个角色"，用户将拥有一个 角色.一个角色应该允许访问某些API(称为"VIEW")， 另一个角色允许访问其他API
• 所有用户都在Active Directory中，因此，如果我有用户名，则可以检查他们所扮演的角色-一些客户端在Windows框中，其他客户端在Linux上
• 我想保持会话状态，因此不必为每个API调用都查找AD
• 我想要单点登录.在Windows计算机上，我不需要他们输入用户并通过，因为我已经可以使用Windows身份验证来检索其用户名.

• There are two "roles" in the system, users will have one of the roles. One role should allows access to some APIs (call it "VIEW"), the other role allows access to other APIs
• All users are in Active Directory, so if I have a username, I can check what role they are in- Some clients are on Windows boxes, the others are on Linux
• I would like to persist the session so I don't have to look up AD for every API call
• I would like single sign on. On the Windows machines, I don't require them to enter user and pass as I already can retrieve their username using Windows Authentication.

我相信Oauth是我最好的选择.

I believe that Oauth would be my best option.

推荐答案

系统中有两个角色"，用户将具有其中一个角色. 一个角色应允许访问某些API(称为"VIEW")，另一个角色 角色允许访问其他API

There are two "roles" in the system, users will have one of the roles. One role should allows access to some APIs (call it "VIEW"), the other role allows access to other APIs

• 对于基于角色的身份验证，可以使用[Authorize("Role" ="Manager")].令牌将由身份服务器提供，并将包含声明作为角色".

所有用户都在Active Directory中，因此，如果我有用户名，则可以 检查他们所扮演的角色-一些客户端位于Windows框中， 其他都在Linux上

All users are in Active Directory, so if I have a username, I can check what role they are in- Some clients are on Windows boxes, the others are on Linux

• 如果您具有ADFS，则可以拥有一个信任ADFS的身份服务器. ADFS将提供一个令牌，该令牌将具有角色声明，并且您的Identity Server将进行声明转换，并将相同的Role声明返回给angular app.

我想保持会话状态，因此不必查找AD 每个API调用

I would like to persist the session so I don't have to look up AD for every API call

• 为此，在请求令牌时，您可以请求脱机作用域，这样身份服务器将为Refresh Token提供Access Token，因此您无需一次又一次地请求AD.
• For this while requesting the token, you can ask for offline scope so the Identity server will provide the Refresh Token with Access Token so you don't need to ask for AD again and again.

我想要单点登录.在Windows计算机上，我不需要 他们输入用户并通过，因为我已经可以检索他们的用户名了 使用Windows身份验证.

I would like single sign on. On the Windows machines, I don't require them to enter user and pass as I already can retrieve their username using Windows Authentication.

• 为此，您可以让您的身份服务器信任Windows身份验证的WSFederation.

因此，基本上，您需要设置身份服务器，该服务器将为您提供令牌，并且REST API将使用该令牌来验证声明，以将正确的信息返回给用户.

So basically you need to setup Identity server that will provide you with the token and the REST API will use that token to verify claims to return the correct information back to the user.

这篇关于利用Active Directory的REST API的授权方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！