使用自定义用户数据库的Web API令牌认证 [英] Web API token authentication with a custom user database

问题描述

我开发一个Web API 2.1服务需要连接的客户端（即我将创建和控制HTML5 / JS客户端）进行身份验证。不幸的是，用户信息（用户名，密码哈希，角色很多，很多详细信息）存储在现有的（SQL Server）的数据库，而我只有读权限。在用户数据库表创建5 - 6年前，没有任何参考的安全框架，所以这是一个完全自定义的格式。我不能做任何修改数据或者数据库结构。

I am developing a Web API 2.1 service that needs to authenticate the connecting clients (HTML5/JS clients that I will create and control). Unfortunately, the user information (username, password hashes, roles and much, much more info) is stored in an existing (SQL Server) database to which I only have read access. The Users database table was created 5-6 years ago without any reference to security frameworks, so it's a completely custom format. I'm not allowed to make any changes to either the data or the database structure.

按<一个启发href=\"http://www.$c$cproject.com/Articles/630986/Cross-Platform-Authentication-With-ASP-NET-Web-API\">this文章，我滚了验证用户身份的我自己的基于令牌的方法，但我缺乏利​​用已建立的安全框架的完整性和（再）保险。

Inspired by this article, I rolled my own token-based method of authenticating users, but I'm lacking the completeness and (re)assurance of using an established security framework.

是否有整合现有的框架，例如一种方式OAuth2用户，我当前的项目内给予我上面提到的限制？我不知道这有什么差别，但我使用OWIN自托管。

Is there a way to integrate an existing framework, e.g. OAuth2, within my current project given the constraints I mentioned above? I don't know if it makes any difference, but I'm self-hosting using OWIN.

编辑：我不知道为什么两个人downvoted这个问题 - 是不是真的那么糟吗？这是一个真正的问题，就我而言，我很想有一个答案（即使是的不，你不能这样做，因为... 的）。如果这些人能在注释说明自己的理由，那会是AP preciated。

I don't know why a couple of people downvoted this question - is it really that bad? It's a genuine question as far as I'm concerned, and I would love to have an answer (even if it's "no, you can't do that because..."). If those people can explain their reasons in a comment, that'd be appreciated.

推荐答案

这是一个很好的回答类似的问题。
它基本上是说：

This is a good answer to a similar question. It basically says:

• 请它实现了一个自定义的用户类 IUSER


• 定义自定义用户存储，它实现公共类UserStoreService
     ：IUserStore＆LT; CustomUser＆gt;中IUserPasswordStore＆LT; CustomUser＆GT;


• 电线的一切行动

既然答案是pretty广泛我只是提供了基本的步骤......
详情请看这里：<一href=\"http://stackoverflow.com/questions/20529401/how-to-customize-authentication-to-my-own-set-of-tables-in-asp-net-web-api-2\">How定制验证我自己的一套在asp.net网页API表2？

Since the answer is pretty extensive I just provided the basic steps... details are here: How to customize authentication to my own set of tables in asp.net web api 2?

这也同样适用于网页API一个非常有价值的内容：

This is also a very valuable content which also applies to web api:

定制ASP.NET验证通过身份通过的JumpStart

https://www.youtube.com/watch?v=uhfEAD2LqYw
这里是一个链接的另一个版本（因为链路被报告为死亡）：
https://www.youtube.com/watch?v=zKTseyrwr4o

心连心

这篇关于使用自定义用户数据库的Web API令牌认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！