使用ASP.NET身份和ASP.NET Web API 2跨域令牌身份验证基础 [英] Cross domain token based authentication using ASP.NET Identity and ASP.NET Web API 2
问题描述
我想知道处理这种身份验证方案的最佳实践。我叫一个注册页面(即 https://public.domain.com/#registration )注册完成后,我想验证用户和重定向他的应用程序(即 https://开头的应用程序。 domain.com/ )。我有另一台服务器在那里我有身份验证方法,API控制器等(即 https://api.domain.com/令牌, https://api.domain.com/api/getOrders 等)。
I would like to know about the best practices to handle this authentication scenario. I have a registration page called (ie https://public.domain.com/#registration), after the registration is done, I'd like to authenticate the user and redirect him to the app (ie https://app.domain.com/). I have another server where I have the authentication method, api controllers, etc (ie https://api.domain.com/Token , https://api.domain.com/api/getOrders , etc).
在注册页面( https://public.domain.com/#registration )我M致电( https://api.domain.com/Token )得到验证,该存储在sessionStorage的[的accessToken]或localStorage的[的accessToken。没有在那里我存储此令牌的事情,也不会在我将用户重定向到其他域可用(的https:/ /app.domain.com/ )。
From the registration page (https://public.domain.com/#registration) I'm calling (https://api.domain.com/Token) to get authenticated, and storing that in sessionStorage["accessToken"] or localStorage["accessToken"]. No matter where I store this token, it won't be available in the other domain where I redirect the user to (https://app.domain.com/).
我的问题是:我必须从 https://public.domain.com通过传递查询字符串令牌/#注册以 https://app.domain.com/Login?Token=xxxxxxxxxxx 这样我就可以用它来存储它的localStorage或sessionStorage的,并且在 HTTPS进行身份验证://app.domain .COM / ?
My question is: Do I have to pass the token via querystring from https://public.domain.com/#registration to https://app.domain.com/Login?Token=xxxxxxxxxxx so I can use it for storing it in localStorage or sessionStorage, and be authenticated in https://app.domain.com/ ?
我怎么能在多个领域可用的令牌?什么是这样做的最佳做法?任何大的安全隐患?
我已经设置了我的CORS阿比中,所以令牌端点上的注册和应用服务器进行访问。
How can I have that token available in multiple domains? What are the best practices for doing this? Any big security risks? I already set up my Api box with CORS, so the Token endpoint is accessible in the registration and app servers.
另外,我想指出的是 https://public.domain.com/#registration和 https://app.domain.com/ 是单页的应用程序,使用迪朗达尔,BreezeJS,淘汰赛等(热毛巾模板)。
Also I'd like to point out that https://public.domain.com/#registration and https://app.domain.com/ are Single Page Applications, using Durandal, BreezeJS, Knockout, etc. (Hot Towel template).
推荐答案
这pretty多回答我的问题:
单点登录(SSO)的跨域ASP.NET应用程序
This pretty much answered my question: Single Sign On (SSO) for cross-domain ASP.NET applications
亮点:
那么,如何共享跨多个域的身份验证cookie?
那么,是绝对没有办法做到这一点。最根本的障碍
你来自全国各地共享一个cookie HTTP协议prevents的
不同的领域,主要是出于安全考虑。
So, how to share the authentication cookie across multiple domains? Well, there is absolutely no way to do that. The fundamental barrier of the HTTP protocol prevents you from sharing a cookie across different domains, primarily for security reasons.
...。在ASP.NET中没有内置的机制来实现单
签署在这些两个不同的站点。
...There is no built-in mechanism in ASP.NET to implement a Single Sign On across these two different sites.
这篇关于使用ASP.NET身份和ASP.NET Web API 2跨域令牌身份验证基础的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
