在ASP.NET WebAPI中检索承载令牌 [英] Retrieve bearer token in ASP.NET WebAPI

问题描述

我有一个启用了身份验证的Web API(承载者令牌).这是由客户端应用程序调用的，我想保护它免受匿名使用，因此我想创建一个用户并为其创建一个承载令牌.

I have a Web API with authentication enabled (bearer token). This is called by a client application and I want to protect it from anonymous usage so I would like to create a single user and create a bearer token for it.

我可以通过调用 register 和 token 方法来创建令牌，但是我想通过代码来实现.

I can create the token by calling the register and token methods, but I would like to do this from code.

1. 据我所知，不记名令牌未存储在数据库中.可以使用ASP.NET Identity API以某种方式对其进行检索吗?

1. As far as I know, the bearer token is not stored in the database. Can it be retrieved somehow using the ASP.NET Identity API?

我还想通过代码创建此用户并将令牌保存在某个地方，因为我需要将数据库部署到多个服务器.

I would also like to create this user from code and save the token somewhere because I need to deploy the database to multiple servers.

推荐答案

如果您只有一个将与您的API对话的客户端，我不建议您采用这种方法，我的理解是您需要发布一个非常长寿的协议访问令牌可能已经使用了一年，并继续使用此令牌来访问后端API，对吗?如果该令牌被盗，您将怎么办?您无法撤消访问令牌，因此它就像您的主密钥(密码)一样.我的建议是将OAuth刷新令牌与访问令牌一起使用.这取决于您的客户端类型，您可以在此处检查操作方式

I do not recommend going with this approach if you have only one client who will talk to your API, my understanding that you need to issue a very very long lived access token maybe for a year and keep using this token to access the back-end API, right? What you will do if this token is stolen? You can't revoke the access token, so it is somehow like your master key (password). My recommendation is to use OAuth refresh tokens along with access tokens. This depends on the type of your client, you can check how this is done here http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/ The refresh tokens can be revoked and they can expire after a very long time. Let me know if you need further details to implement this.

这篇关于在ASP.NET WebAPI中检索承载令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！