在Web API中混合使用Windows身份验证和个人帐户 [英] Mix Windows Authentication and individual accounts in web api
问题描述
我有一个使用个人帐户并正确发行令牌的Web API.我对其进行了修改,以接受来自本机应用程序的社交身份验证.
I have a web API that use Individual accounts and issue tokens properly. I modified it to accept social authentication from native application.
现在,我想为内部员工添加使用其域凭据访问该API的选项,而不是创建新的用户名和密码.
Now, I want to add options for internal employees to access that API using their domain credentials rather than creating new username and password.
员工应调用api/令牌以获得令牌,但是,他们将在主体(域凭据)中传递.
Employees should call the api/token to get a token, however, they will pass in the body, the domain credential.
关于如何区分普通用户名和密码以及域凭据以及在何处进行更改的任何想法?
Any ideas on how to differentiate between normal username and password and domain credentials, and where to do the changes exactly?
推荐答案
我成功了,但是我只是想确保自己没有遇到安全问题,并且随时准备发表任何评论.
I succeeded, but I just want to make sure I didn't put myself in security troubles, and I'm ready for any comment.
首先,我所做的所有更改都位于提供程序文件中:ApplicationOAuthProvider.cs:
First, all what I changed is within the provider file: ApplicationOAuthProvider.cs:
-
创建新的私有变量,以定义客户端是否要使用Domain登录:
create new private variable to define whether client wants to login using Domain:
private bool DomainUser = false;
修改了负责发行令牌的第一个任务,因此它在请求正文中检查新参数(DomainUser):grant_type=password&username=username&password=password&DomainUser=true:
public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
// Resource owner password credentials does not provide a client ID.
if (context.ClientId == null)
{
DomainUser = context.Parameters["DomainUser"] == "true";
context.Validated();
}
return Task.FromResult<object>(null);
}
修改了验证用户名和密码的任务,因此首先它将检查这是否是对DomainUser的请求,并通过域进行身份验证,否则它将照常继续:
Modified the task that verify the username and password, so first it will check if this is a request for a DomainUser, and authenticate with domain, otherwise, it will continue as usual:
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();
ApplicationUser user;
if (DomainUser && IsValidCredentials(context.UserName, context.Password, "MyDomain"))
user=await PrepareDomainUser(context);
else
user = await userManager.FindAsync(context.UserName, context.Password);
函数IsValidCredentials将使用域验证凭据(您需要添加对System.DirectoryServices.AccountManagement的引用):
where the function IsValidCredentials will verify the credentials with the domain (You need to add reference to System.DirectoryServices.AccountManagement):
private static bool IsValidCredentials(string Username, string Password, string Domain)
{
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, Domain))
{
return pc.ValidateCredentials(Username, Password);
}
}
,如果是第一次,则PrepareDomainUser将创建没有密码的应用程序用户:
and the PrepareDomainUser will create, if this is the first time, the application user, without password:
private async Task<ApplicationUser> PrepareDomainUser(OAuthGrantResourceOwnerCredentialsContext context)
{
var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();
ApplicationUser user = await userManager.FindByEmailAsync(context.UserName);
if (user == null)
{
user = new ApplicationUser() { UserName = context.UserName, Email = context.UserName };
IdentityResult result = await userManager.CreateAsync(user);
}
return user;
}
这篇关于在Web API中混合使用Windows身份验证和个人帐户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
