与ADFS使用什么协议时，对于非浏览器客户端安全的WebAPI [英] what protocol to use with ADFS when security webapi for non-browser clients

问题描述

我们的的WebAPI端点既用于基于浏览器的客户端（角）和非基于浏览器的客户端（restsharp）和的WebAPI采用被动WS联合作为协议和ADF作为STS目前固定。我们目前使用一个颇为曲折的解决办法对于restsharp客户，因为被动WS联合还真不是最优的非浏览器客户端，所以我们想找到一个更好的办法，以确保我们为这些类型的客户端的WebAPI的端点，而无需更换ADFS或者添加额外的基础设施。

Our webapi endpoints are used for both browser based clients (angular) and non-browser based clients (restsharp) and the webapi are currently secured using passive WS-Federation as the protocol and ADFS as the STS. We currently use a rather convoluted workaround for the restsharp clients since passive WS-Federation really isn't optimal for non-browser clients so we would like to find a better way to secure our webapi endpoints for these types of clients without having to replace ADFS or add extra infrastructure.

我的理解是，OAuth2用户资源所有者密码凭据格兰特（grant_type =密码）将支持此方案很好，但遗憾的是，目前不支持ADFS

My understanding is that OAuth2 "Resource Owner Password Credentials Grant" (grant_type=password) would support this scenario nicely but unfortunately it is currently not supported by ADFS.

所以，我的问题是，有没有使用ADFS支持，即授权code格兰特流一OAuth2流程（grant_type = authorization_ code）支持非浏览器的好方法基于客户呢？

So, my question is this, is there a nice way to use the one OAuth2 flow that ADFS supports, namely "Authorization Code Grant Flow" (grant_type=authorization_code) to support non-browser based clients?

如果这是不可能的，我可以保证使用WS-Trust和承载令牌的WebAPI的端点，而不诉诸使用WCF？

If this is not possible, can I secure WebApi endpoints using WS-Trust and bearer tokens without resorting to using WCF?

推荐答案

原来，这是可以使用WS-信托获得SAML 2.0令牌和一个的WebAPI从Thinktecture IdentityModel一点帮助来使用它。下列不包括债权转换，所以如果你需要声明添加到校长，则需要多一点的工作。

It turns out it was possible to use WS-Trust to get a saml 2.0 token and a WebApi to consume it with a little help from Thinktecture IdentityModel. The following does not include claims transformation so if you need to add claims to the Principal, then a little more work is needed.

针对的WebAPI服务owin启动需要使用下面的Thinktecture.IdentityModel.Owin：

The owin startup for the webapi service needs to use the following from Thinktecture.IdentityModel.Owin:

app.UseSaml2BearerAuthentication(
            audience: new Uri(ConfigurationManager.AppSettings["FederatedSecurity.Realm"]),
            issuerThumbprint: ConfigurationManager.AppSettings["FederatedSecurity.Thumbprint"],
            issuerName: ConfigurationManager.AppSettings["FederatedSecurity.Authority"]);

有关客户端从ADFS要求SAML 2.0令牌

For the client to request the saml 2.0 token from ADFS

private static SecurityToken RequestSecurityToken()
{
    var trustChannelFactory = new WSTrustChannelFactory(new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential), new EndpointAddress(new Uri("https://yourAdfsServer/adfs/services/trust/13/usernamemixed"), new AddressHeader[0]))
    {
        TrustVersion = TrustVersion.WSTrust13,
        Credentials = { UserName = { UserName = @"u$ern@me", Password = "p@ssw0rd" } }
    };
     var requestSecurityToken = new RequestSecurityToken
    {
        RequestType = RequestTypes.Issue,
        KeyType = KeyTypes.Bearer,
        TokenType = TokenTypes.Saml2TokenProfile11,
        AppliesTo = new EndpointReference(_audience)
    };

    RequestSecurityTokenResponse response;
    var securityToken = trustChannelFactory.CreateChannel().Issue(requestSecurityToken, out response);

    return securityToken;
}

和客户端调用服务（使用HttpClient的，但RestSharp也将工作）

And for the client to call the service (using HttpClient but RestSharp will also work)

private static void CallService(SecurityToken token)
{
    using (HttpClient client = new HttpClient())
    {
        client.SetBearerToken(Convert.ToBase64String(Encoding.UTF8.GetBytes(token.ToTokenXmlString())));
        var httpMessage = client.GetAsync(new Uri(_restEndpoint)).Result;
    }
}

这篇关于与ADFS使用什么协议时，对于非浏览器客户端安全的WebAPI的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！