使用的ASP.NET Web API的跨平台认证 [英] Cross platform authentication using ASP.NET Web API

问题描述

我如何使用的ASP.NET Web API，因此它是跨平台，支持桌面，移动和网络甚至开始编码验证？我已经读的操作的方式的RESTful认证的一些方法，如在标题中使用的令牌。

是否有任何示例项目在那里，利用这种方法吗？

问题：

1. 如果不是我怎么修复 [授权] 属性读取令牌？


2. 如何生成此令牌？我不认为我可以使用formsauthentication因为使用cookie。


3. 如何处理实际的授权，做客户端发送原始用户名和密码，然后我生成令牌或者是有一些其他的方式？


4. 如何在我的网站正在使用它我处理？我听说这是当一个应用程序正在使用它，如获取域和授权比的处理不同。

解决方案

我觉得令牌将要走了坚实的道路。窗体身份验证是基于cookie进行网页。不是所有的非浏览器客户端的最主意情况，但。

我会建议是创建一个自定义AuthorizationFilterAttribute并重写OnAuthorization方法。在该方法中，你可以检查他们所提供的有效凭据后，您已经发到客户端的令牌的存在。你可以在你想验证的任何方法或控制器使用此属性。以下是你可能会引用一个样本

 公共类AuthorizeTokenAttribute：AuthorizationFilterAttribute
{
    公共覆盖无效OnAuthorization（HttpActionContext ActionContext中）
    {
        如果（ActionContext中！= NULL）
        {
                如果（！的AuthorizeRequest（actionContext.ControllerContext.Request））
                {
                    actionContext.Response =新的Htt presponseMessage（的HTTPStatus code.Unauthorized）{RequestMessage = actionContext.ControllerContext.Request};
                }
                返回;
        }
    }    私人布尔的AuthorizeRequest（System.Net.Http.Htt prequestMessage要求）
    {
        布尔授权= FALSE;
        如果（request.Headers.Contains（Constants.TOKEN_HEADER））
        {
            变种tokenValue = request.Headers.GetValues​​（TOKEN_HEADER）;
            如果（tokenValue.Count（）== 1）{
                VAR值= tokenValue.FirstOrDefault（）;
               //令牌验证逻辑在这里
               //设置授权相应的变量
            }
        }
        返回的授权;
    }}
 

TOKEN_HEADER只是一个字符串重新presenting的HTTP标头，客户端应该通过回身份验证请求。

因此​​，让我们走过它

1. 客户端请求数据安全


2. 客户端没有被授权，返回与Unauthorized状态code
响应

3. 客户端发送凭据进行身份验证，应通过HTTPS固定


4. 一旦通过验证，客户机通过HTTP头收到令牌，或任何你
工作

5. 客户端再次尝试请求数据安全，这时候连接令牌请求


6. 的AuthorizeTokenAttribute将验证令牌，让行动来执行。

此外，检查这个职位由约翰·彼得森。 使您的ASP.NET Web API的安全

How do I even begin coding authentication using ASP.NET Web API so it is cross-platform to support desktop, mobile and web? I'd read of some methods of doing RESTful authentication, such as using tokens in the header.

Are there any example projects out there that utilizes this method?

Questions:

1. If not how do I fix the [Authorize] attribute to read the token?
2. How do I generate this token? I dont think i can use formsauthentication because that uses cookies.
3. How do I handle the actual authorization, do the client send raw password and username then I generate the token or is there some other way?
4. How do I handle when my website is using it? I heard this is handled differently than when an app is using it, such as getting the domain and authorizing it.

解决方案

I think tokens would be a solid way to go. Forms authentication is based on cookies for the web. Not the most idea situation for all non browser clients though.

What I'd suggest is creating a custom AuthorizationFilterAttribute and overriding the OnAuthorization method. In that method, you could check for the existence of a token that you've issued to the client after they've supplied valid credentials. You can use this attribute on any method or controller you want validated. Here's a sample you might reference

 public class AuthorizeTokenAttribute : AuthorizationFilterAttribute 
{      
    public override void OnAuthorization(HttpActionContext actionContext)
    {
        if (actionContext != null)
        {                
                if (!AuthorizeRequest(actionContext.ControllerContext.Request))
                {
                    actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized) { RequestMessage = actionContext.ControllerContext.Request }; 
                }
                return;
        }
    }

    private bool AuthorizeRequest(System.Net.Http.HttpRequestMessage request)
    {
        bool authorized = false;
        if (request.Headers.Contains(Constants.TOKEN_HEADER))
        {               
            var tokenValue = request.Headers.GetValues("TOKEN_HEADER");
            if (tokenValue.Count() == 1) {
                var value = tokenValue.FirstOrDefault();               
               //Token validation logic here
               //set authorized variable accordingly
            }                
        }
        return authorized;
    } }

TOKEN_HEADER is just a string representing an HTTP header that the client should pass back for authenticated requests.

So let's walk through it

1. Client requests secure data
2. Client is not authorized, return a response with an Unauthorized status code
3. Client sends credentials to authenticate, which should be secured via HTTPS
4. Once validated, client receives a token via an HTTP header, or whatever works for you
5. Client tries requesting secure data again, this time attached the token to the request
6. The AuthorizeTokenAttribute will validate the token and allow the action to execute.

Also, check this post by John Petersen. Making your ASP.NET Web API’s secure

这篇关于使用的ASP.NET Web API的跨平台认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！