安全2个不同的网络应用程序与一个服务标识 [英] Secure 2 different web applications with one identify service

问题描述

2固定不同的Web应用程序与一个服务标识



身份服务：Thinktecture身份服务V2

应用1：Asp.net MVC 5应用程序

应用二：Asp.net的Web API应用

Secure 2 different web applications with one identify service

Identity Service: Thinktecture Identity Service V2
Application 1: Asp.net MVC 5 application
Application 2: Asp.net Web API application

以上的applcation 1和应用2是不同的项目，并在不同的服务器上托管。现在我的方案是


1.希望获得应用1身份服务。

2.要确保应用2身份服务。



使用案例1：如果用户访问应用程序1它应该重定向到身份服务登录页面，一旦我输入的凭据并登录到应用程序1，同样让我来访问应用2

使用案例2：如果用户试图访问从应用2任何API没有登录到Identity服务，请求应该拒绝

The above Applcation 1 and Application 2 are different projects and hosted in different servers. Now my scenarios are
1. Want to secure Application 1 with Identity Service.
2. Want to secure Application 2 with Identity Service.

Use case 1: If user access Application 1 it should redirect to identity service login page, once I entered the credentials and login in to application 1, the same token allow me to access Application 2.
Use case 2: If user try to access any API from Application 2 without login into Identity service, the request should reject.

推荐答案

确定。我刚才做了eactly同样的事情。所需的一切弄完写入<一个href=\"http://www.cloudidentity.com/blog/2013/01/09/USING-THE-JWT-HANDLER-FOR-IMPLEMENTING-POOR-MAN-S-DELEGATION-ACTAS/\"相对=nofollow>此处。如果您使用IdentityServer，你需要配置你的RP的令牌类型是智威汤逊：

Ok. I did eactly the same thing just now. Everything required to get that done is written here. If you're using IdentityServer, you need to configure the Token Type of your RP to be JWT:

 这使您可以稍后从您的身份验证MVC 5应用程序中提取令牌（见上面的链接，看看如何做到这一点），然后发送令牌到你的Web API。那么你需要告诉你的web API接受该令牌，使用微软的 JwtSecurityTokenHandler 类。这个类有一个接受2参数 ValidateToken（）方法，第一个是，你投入的请求到Web API的您的身份验证头的访问令牌，以及第二，验证参数基本上是你在IdentityServer的配置定义的：

this allows you to later extract the token from your authenticated MVC 5 application (see the link above to see how to do this) and then send that token to your Web API. You then need to tell you web api to accept that token, using Microsoft's JwtSecurityTokenHandler class. This class has a ValidateToken() method which accepts 2 parameters, the first being the access token that you put into your auth headers of the requests to the Web API, and the second, the validation parameters are basically what you've defined in IdentityServer's config:

validationParams = new TokenValidationParameters
            {

                AllowedAudiences = _allowedAudiencesAndSigningKeys.Select(x => x.Key),
                ValidIssuer = ConfigurationManager.AppSettings["IssuerIdentity"],
                ValidateIssuer = true,
                SigningTokens = _allowedAudiencesAndSigningKeys.Select(x => new BinarySecretSecurityToken(Convert.FromBase64String(x.Value)))
            };

目标对象（S）已在Identity Server的定义，并希望盛大的应用程序，你要允许访问，发行人名称（您的身份服务器名称）/领域（S）和签约对称密钥（S）进入。在 ValidateToken（）方法返回一个 ClaimsPrincipal 从令牌提取的索赔清单。可以把code做这一切的消息处理程序：

The Audience(s)/Realm(s) you want to allow access to, the issuer name (your Identity Server name) and the signing symmetric key(s) of the applications you have defined in Identity Server and want to grand access to. The ValidateToken() method returns an ClaimsPrincipal with a list of the claims extracted from the token. The code to do all this can be put in a message handler:

public static void Configure(HttpConfiguration config)
{
    var authNConfig = new AuthenticationConfiguration();
    config.MessageHandlers.Add(new MyTokenValidationHandler());
}

这篇关于安全2个不同的网络应用程序与一个服务标识的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！