使用承载令牌在网络外部禁止Web API 403 [英] Web API 403 Forbidden Outside of Network Using Bearer Token

问题描述

我有一个使用oAuth2的Web API，其中包含允许匿名和安全调用的API的混合.我已将代码部署到网络上的单独服务器上，并使用RESTer(类似于POSTMAN)进行了验证，以确保调用能够正常工作.如果我从网络外部进行相同的呼叫，则只有设置为使用ExternalBearer令牌的呼叫才会失败.匿名呼叫成功.

I have a Web API using oAuth2 that has a mixture of APIs that allow Anonymous and Secured calls. I've deployed the code to a separate server on my network and verified using RESTer (similar to POSTMAN) that the calls work. If I make the same calls from outside the network, only the calls that are set to use the ExternalBearer token fail. Anonymous calls succeed.

我签出了对我不起作用的解决方案.禁止使用HTTP 403:拒绝访问ASP.NET Web API

I checked out this solution which did not work for me. HTTP 403 Forbidden: Access is denied ASP.NET Web API

我还确保在部署服务器上，该用户帐户可以使用完全控制"权限访问该目录.

I've also ensured on the deployment server that the user account has access to the directory with Full Control.

我的匿名呼叫(在/token呼叫旁边)具有[AllowAnonymous]和[HttpPost]批注.我的安全呼叫具有[HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)]和[HttpPost]批注.

My anonymous calls (beside the /token call) have the [AllowAnonymous] and [HttpPost] annotations. My secure calls have the [HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)] and [HttpPost] annotations.

[Authorize]
[RoutePrefix("api/Lookups")]
public class MySettingsClass : ApiController

    /* Constructor omitted for readability*/

    [HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)]
    [HttpPost]
    [Route("GetSettings")]
    public Settings GetSettings(GetSettingsCommand command)
    {
        //Do something here
        return settings;
    }

在这一点上，我怀疑IIS在某种程度上没有正确配置，或者防火墙正在做某事，但是我不确定.我检查了服务器上的IIS日志，可以看到请求传入.不幸的是，该日志只显示了收到请求的内容.日志的sc-status状态为401，与所示的403不同.

At this point I suspect IIS isn't configured properly in some way or a firewall is doing something, but I'm not sure. I checked the IIS logs on the server and I can see the request coming in. Unfortunately the log says nothing more than it received the request. The log does give an sc-status of 401 for the request which is different than the 403 that is shown.

在客户端显示的实际403错误:

Actual 403 Error shown on the client side:

403 Forbidden ( The server denied the specified Uniform Resource Locator(URL). Contact the server administrator.)

更新:启用IIS失败的请求跟踪时，我会在日志中收到此警告.

Update: When I enable IIS Failed Request Tracing I get this warning in the log.

 ModuleName="ManagedPipelineHandler", Notification="EXECUTE_REQUEST_HANDLER", HttpStatus="401", HttpReason="Unauthorized", HttpSubStatus="0", ErrorCode="The operation completed successfully.(0x0)", ConfigExceptionInfo=""

推荐答案

存在一个防火墙问题，该问题专门阻止客户端直接进行身份验证.我必须拥有一个IT资源来打开Forefront TMG属性，进入身份验证委派"选项卡，并将该​​方法设置为没有委派，并且客户端无法直接进行身份验证"之外的其他方法.

There was a firewall issue that was specifically blocking clients from directly authenticating. I had to have an IT resource open Forefront TMG properties, go into the Authentication Delegation tab, and set the method to something other than "No delegation, and client cannot authenticate directly"

该SO线程可能是相同的解决方案，但发布者并未确切提及其解决方案:

This SO thread is likely the same solution but the poster doesn't mention exactly what their solution was: WebAPI : 403 Forbidden after publish website

这篇关于使用承载令牌在网络外部禁止Web API 403的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！