基于角色的API授权 [英] Role based authorization for API

问题描述

I have an API, it needs role based authorization. Roles for this application is dynamic.
What I want to achieve is: if a user make a call to a particular API, first it will check if the user is authorized to access API. 

If a role based user is authorized to access it, then send data as response else reply with not authorized response.

What would be the best approach to start with this requirement?

我尝试了什么：



我在想的是，将所有端点保存到表中也是允许访问每个角色的端点。



如果我可以创建一个基本控制器，并且所有其他控制器将继承基本控制器。所以，如果我可以从基地检查特定角色的控制器，无论该角色是否被允许访问，然后发送相应的resposnse。

What I have tried:

What I am thinking is, save all the endpoints to a table also the permission to access endpoint for each role.

If I can make a base controller, and base controller will be inherited by all other controller. So, If i can check from base

controller for a particular role, whether or not the role is allowed to access then send the corresponding resposnse.

推荐答案

为了执行身份验证/授权，我通过使其符合OAuth 2.0为我现有的wcf服务创建了一个增强功能。

客户端与服务进行通信最初GET是基于用户凭证的新令牌。仅当有效令牌与请求一起传递时，才会处理其他请求。传入令牌（自动解密时）包含授权请求所需的所有信息。

Microsoft.Owin，Microsoft.Owin.Security.OAuth等包含完成此任务所需的所有程序集。

单点登录是这种方法的附加优势。

In order to perform authentication/authorization, I had created an enhancement to my existing wcf service by making it OAuth 2.0 compliant.
Clients communicating with the service initially GET's a new token based on user credentials. Further requests are processed only if a valid token is passed along with the request. Incoming token (when decrypted - automatically) contains all info required to authorize the request.
Microsoft.Owin, Microsoft.Owin.Security.OAuth etc. contains all required assemblies to accomplish this.
Single-sign-on is an added advantage of such an approach.

首先，在创建令牌时，将角色详细信息添加到令牌中。

带有此令牌的传入http请求现在将具有嵌入init的用户角色。



自定义Authorize属性以创建您自己的实现，您可以在其中将接收到的角色与数据库中客户的角色进行比较。

可行，您可以使用角色缓存来避免频繁的数据库调用。

First, while creating token, add role details into the token.
Incoming http-request with this token will now have user roles embedded init.

Customize the Authorize attribute to create you own implementation, in which you could compare the received roles with that of the customer in database.
Is feasible, you can make use of caching of roles to avoid frequent database calls.

这篇关于基于角色的API授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！