如何做到应用程序(服务器到服务器)认证,OAuth 2.0用户,网络API 2.0 [英] How to do Application to application (server to server) authentication, OAuth 2.0, Web API 2.0
问题描述
我在有2个独立的ASP.NET MVC 5应用的项目。一种使用其它作为服务。基本上,应用之一是具有所有用户的个人资料信息,这样,在未来,其他应用程序可以使用该服务,用户不必设置多个帐户配置文件服务。这些应用程序内部的组织。对于认证和授权,我们使用Windows身份验证和智能卡。配置文件服务应用程序使用Web API 2.0。我没有设定OAuth 2.0呢。
I'm on a project that has 2 separate ASP.NET MVC 5 Applications. One uses the other as a service. Basically, one of the applications is a Profile Service that has all the profile information of users so that, in the future, other applications can use that service and users don't have to set up multiple accounts. These applications are internal to the organization. For authentication and authorization, we use Windows authentication and smart cards. The profile service app uses Web API 2.0. I have not set up OAuth 2.0 yet.
问题:因为目前的情况是,谁知道如何发送到配置文件服务可以这样做(如在查询字符串键入URL)的请求。
The problem: as it stands now, anyone who knows how to send a request to profile service can do so (like typing in a url with query strings).
我试图实现的:我想授权我的其它应用(目前只有一个......在未来,更多)。我不希望请求将基于使用的应用程序的用户的授权,但是应用程序本身。换句话说,如果个人主页服务的请求来自于应用程序,无论是谁登录并使用它,配置文件服务需要,作为一个授权的请求......如果它来自其他地方,它的拒绝。
What I'm trying to achieve: I want to authorize my other application (for now, only that one... in the future, more). I do not want the requests to be based on the authorization of the users using the application, but the application itself. In other words, if the request to profile service comes from that application, regardless of who is logged in and using it, the profile service takes that as an authorize request... if it comes from anywhere else, it's denied.
我已经做了一些研究。我找不到任何明确规定如何设置的。我已经找到了如何让您的应用授权谷歌服务或Twitter服务专...,告诉我如何设置客户端应用程序,而不是服务器应用程序(但即使客户端安装我不知道会是正确的东西,我的具体需求,因为它是一个内部应用程序,因为我不知道怎么谷歌服务工作等)。看来的OAuth 2.0令牌的路要走,但我要如何实现这个?我真的需要具体的,一步一步的答案(希望用一些code)。
I have already done some research. I can't find anything that clearly states how to set this up. I have found stuff on how to make your app authorized for Google Services or Twitter services specifically... that tells me how to set up the client application, not the server application (but even the client setup I'm not sure would be correct for my specific needs, since it's an internal app, since I don't know how the Google services work, etc). It seems OAuth 2.0 and tokens are the way to go, but how do I implement this? I need really specific, step-by-step answers (hopefully with some code).
感谢你这么多提前。我会回来检查中频繁。让我知道如果你需要更多的信息。
Thank you so much in advance. I will be checking back in frequently. Let me know if you need more info.
编辑:
哦!我忘了提!我们使用HTTPS,而不是HTTP ...这是否有任何影响?
Oh! I forgot to mention! We're using HTTPS, not HTTP... does this have any bearing?
推荐答案
的OAuth有不同的补助的类型,你需要的是客户端证书批准的应用程序本身。这是您将看到谷歌/ Facebook的的有所不同,因为没有重定向/浏览器交互。
OAuth has different grant types, the one you need is "client credentials" to authorize the application itself. This is different from the ones you see for google/facebook, since there is no redirect/browser interaction.
POST https://oauthEndpointurl/token?grant_type=client_credentials&client_id=CLIENT_ID&client_secret=CLIENT_SECRET
客户端ID和客户端密钥发送到服务器,然后返回令牌,并可能刷新令牌,具体取决于你的实现。
Client ID and Client Secret is sent to the server and then the token is returned and possibly a refresh token depending on you're implementation.
然后你所有你需要做的就是发回的令牌在请求的报头。 (如果你使用一个库,然后它已经处理的。)
Then you all you need to do is send the token back in the header of the request. (if you're using a library then it's handled already.)
"Authorization: Bearer xxxxTOKENxxxxx"
结帐这篇文章上做的更多详细信息:
Checkout this article on DO for more details:
https://www.digitalocean.com/community/教程/一介绍到OAuth的2
这篇关于如何做到应用程序(服务器到服务器)认证,OAuth 2.0用户,网络API 2.0的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
