与ADFS使用什么协议时,对于非浏览器客户端安全的WebAPI [英] what protocol to use with ADFS when security webapi for non-browser clients
问题描述
我们的的WebAPI端点既用于基于浏览器的客户端(角)和非基于浏览器的客户端(restsharp)和的WebAPI采用被动WS联合作为协议和ADF作为STS目前固定。我们目前使用一个颇为曲折的解决办法对于restsharp客户,因为被动WS联合还真不是最优的非浏览器客户端,所以我们想找到一个更好的办法,以确保我们为这些类型的客户端的WebAPI的端点,而无需更换ADFS或者添加额外的基础设施。
Our webapi endpoints are used for both browser based clients (angular) and non-browser based clients (restsharp) and the webapi are currently secured using passive WS-Federation as the protocol and ADFS as the STS. We currently use a rather convoluted workaround for the restsharp clients since passive WS-Federation really isn't optimal for non-browser clients so we would like to find a better way to secure our webapi endpoints for these types of clients without having to replace ADFS or add extra infrastructure.
我的理解是,OAuth2用户资源所有者密码凭据格兰特(grant_type =密码)将支持此方案很好,但遗憾的是,目前不支持ADFS
My understanding is that OAuth2 "Resource Owner Password Credentials Grant" (grant_type=password) would support this scenario nicely but unfortunately it is currently not supported by ADFS.
所以,我的问题是,有没有使用ADFS支持,即授权code格兰特流一OAuth2流程(grant_type = authorization_ code)支持非浏览器的好方法基于客户呢?
So, my question is this, is there a nice way to use the one OAuth2 flow that ADFS supports, namely "Authorization Code Grant Flow" (grant_type=authorization_code) to support non-browser based clients?
如果这是不可能的,我可以保证使用WS-Trust和承载令牌的WebAPI的端点,而不诉诸使用WCF?
If this is not possible, can I secure WebApi endpoints using WS-Trust and bearer tokens without resorting to using WCF?
推荐答案
原来,这是可以使用WS-信托获得SAML 2.0令牌和一个的WebAPI从Thinktecture IdentityModel一点帮助来使用它。下列不包括债权转换,所以如果你需要声明添加到校长,则需要多一点的工作。
It turns out it was possible to use WS-Trust to get a saml 2.0 token and a WebApi to consume it with a little help from Thinktecture IdentityModel. The following does not include claims transformation so if you need to add claims to the Principal, then a little more work is needed.
针对的WebAPI服务owin启动需要使用下面的Thinktecture.IdentityModel.Owin:
The owin startup for the webapi service needs to use the following from Thinktecture.IdentityModel.Owin:
app.UseSaml2BearerAuthentication(
audience: new Uri(ConfigurationManager.AppSettings["FederatedSecurity.Realm"]),
issuerThumbprint: ConfigurationManager.AppSettings["FederatedSecurity.Thumbprint"],
issuerName: ConfigurationManager.AppSettings["FederatedSecurity.Authority"]);
有关客户端从ADFS要求SAML 2.0令牌
For the client to request the saml 2.0 token from ADFS
private static SecurityToken RequestSecurityToken()
{
var trustChannelFactory = new WSTrustChannelFactory(new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential), new EndpointAddress(new Uri("https://yourAdfsServer/adfs/services/trust/13/usernamemixed"), new AddressHeader[0]))
{
TrustVersion = TrustVersion.WSTrust13,
Credentials = { UserName = { UserName = @"u$ern@me", Password = "p@ssw0rd" } }
};
var requestSecurityToken = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Bearer,
TokenType = TokenTypes.Saml2TokenProfile11,
AppliesTo = new EndpointReference(_audience)
};
RequestSecurityTokenResponse response;
var securityToken = trustChannelFactory.CreateChannel().Issue(requestSecurityToken, out response);
return securityToken;
}
和客户端调用服务(使用HttpClient的,但RestSharp也将工作)
And for the client to call the service (using HttpClient but RestSharp will also work)
private static void CallService(SecurityToken token)
{
using (HttpClient client = new HttpClient())
{
client.SetBearerToken(Convert.ToBase64String(Encoding.UTF8.GetBytes(token.ToTokenXmlString())));
var httpMessage = client.GetAsync(new Uri(_restEndpoint)).Result;
}
}
这篇关于与ADFS使用什么协议时,对于非浏览器客户端安全的WebAPI的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!