结合使用具有Azure功能的JSON Web令牌(JWT)(不使用Active Directory) [英] Using JSON Web Tokens (JWT) with Azure Functions (WITHOUT using Active Directory)
问题描述
我确信外面已经有人这样做了,但是我还没有找到关于Microsoft JWT实现的任何文档. Microsoft为其JWT库提供的官方文档基本上是一个空白页,请参阅:
I am sure someone out there has already done this, but I have yet to find any documentation with regard to the Microsoft implementation of JWT. The official documentation from Microsoft for their JWT library is basically an empty page, see:
https://docs.microsoft.com/zh-CN/dotnet/framework/security/json-web-token-handler-api-reference
所以,这是我(而且我相信还有很多人)想完成的事情:
So, here is what I (and I am sure many others) would like to accomplish:
定义:用户ID =用于登录系统的用户名或电子邮件地址.
Definition: User ID = The username or email address used to log into a system.
身份验证:
-
用户登录.用户填写Web表单,然后系统(通过HTTPS POST)将用户ID和密码(哈希)发送到服务器,以对用户进行身份验证/验证.
A user logs in. The user fills in web form and the system sends (via HTTPS POST) the users ID and password (hashed) to the server in order to authenticate / validate the user.
服务器对用户进行身份验证.将对照数据库中保存的值检查用户ID和密码,如果无效,则会向调用者返回无效的登录响应.
Server Authenticates user. The users ID and password are checked against the values saved in the database and if NOT valid, an invalid login response is returned to the caller.
创建JWT令牌-????没有可用的文档!
Create a JWT Token - ???? No documentation available!
将JWT令牌返回给调用方-???? -我假设在标头中?通过JSON,不确定-再次-没有文档.
Return the JWT token to the caller - ???? - I assume in a header? via JSON, not sure -- again - no documentation.
给出以下代码,有人可以提供第3步和第4步的代码示例吗?
Given the code below, can anyone provide a code example for steps 3 and 4?
[FunctionName( "authenticate" )]
public static async Task<HttpResponseMessage> Run( [HttpTrigger( AuthorizationLevel.Anonymous, "get", "post", Route = null )]HttpRequestMessage req, TraceWriter log )
{
// Step 1 - Get user ID and password from POST data
/*
* Step 2 - Verify user ID and password (compare against DB values)
* If user ID or password is not valid, return Invalid User response
*/
// Step 3 - Create JWT token - ????
// Step 4 - Return JWT token - ????
}
授权:
假设用户已通过身份验证,并且现在拥有JWT令牌(我假设JWT令牌已保存在用户会话中;如果有人想提供更多信息,请这样做):
Assuming the user was authenticated and now has a JWT token (I am assuming the JWT token is saved in the users session; if someone wants to provide more info, please do):
-
向Azure函数发出POST请求以执行某项操作(例如获取用户的生日).上面获得的JWT令牌(从POST数据或标头中加载-是否重要?)与该功能所需的任何其他数据一起加载.
A POST request is made to an Azure Function to do something (like get a users birth date). The JWT token obtained above is loaded (from the POST data or a header - does it matter?) along with any other data required by the function.
JWT令牌已验证-????没有可用的文档!
The JWT token is validated - ???? No documentation available!
如果JWT令牌无效,则该函数将返回BadRequest响应.
If the JWT token is NOT valid, a BadRequest response is returned by the function.
如果JWT令牌有效,则该函数使用传递给它的数据来处理和发出响应.
If the JWT token is valid, the function uses the data passed to it to process and issue a response.
给出以下代码,有人可以提供第1步和第2步的代码示例吗?
Given the code below, can anyone provide a code example for steps 1 and 2?
[FunctionName( "do_something" )]
public static async Task<HttpResponseMessage> Run( [HttpTrigger( AuthorizationLevel.Anonymous, "get", "post", Route = null )]HttpRequestMessage req, TraceWriter log )
{
// Step 1 - Get JWT token (from POST data or headers?)
// Step 2 - Validate the JWT token - ???
// Step 3 - If JWT token is not valid, return BadRequest response
// Step 4 - Process the request and return data as JSON
}
任何信息都将真正帮助我们这些人(我)了解如何将JWT与Azure(匿名)功能一起使用,以构建安全的" REST API.
Any and all information would really help those of us (me) understand how to use JWT with Azure (anonymous) functions in order to build a "secure" REST API.
谢谢.
推荐答案
任何信息都将真正帮助我们这些人(我)了解如何将JWT与Azure(匿名)功能一起使用,以构建安全的" REST API.
Any and all information would really help those of us (me) understand how to use JWT with Azure (anonymous) functions in order to build a "secure" REST API.
根据我的理解,您可以在Azure函数代码中使用相关的库来生成/验证JWT令牌.这里有一些教程,您可以参考它们:
Per my understanding, you could use the related library in your azure function code to generate / validate the JWT token. Here are some tutorials, you could refer to them:
Jwt.Net,它是.NET的JWT(JSON Web令牌)实现
此外,您可以利用应用程序服务身份验证/授权,以配置功能应用级别的验证/授权.您可以转到功能应用程序设置",单击平台功能"选项卡下的网络>身份验证/授权".启用App Service身份验证,然后选择允许匿名请求(不执行任何操作),如下所示:
Moreover, you could leverage App Service Authentication / Authorization to configure the function app level Authentication / Authorization. You could go to your Function App Settings, click "NETWORKING > Authentication / Authorization" under the Platform features tab. Enable App Service Authentication and choose Allow Anonymous requests (no action) as follows:
您可以创建具有匿名访问权限的HttpTrigger函数来记录用户日志,如果用户存在,则返回JWT令牌.对于受保护的REST API,您可以按照以下代码示例进行操作:
You could create a HttpTrigger function with anonymous accessing for user logging and return the JWT token if the user exists. For the protected REST APIs, you could follow the code sample below:
if(System.Security.Claims.ClaimsPrincipal.Current.Identity.IsAuthenticated)
{
//TODO: retrieve the username claim
return req.CreateResponse(HttpStatusCode.OK,(System.Security.Claims.ClaimsPrincipal.Current.Identity as ClaimsIdentity).Claims.Select(c => new { key = c.Type, value = c.Value }),"application/json");
}
else
{
return req.CreateResponse(HttpStatusCode.Unauthorized,"Access Denied!");
}
要生成在App Service身份验证中使用的JWT令牌,可以遵循自定义身份验证的书JWT令牌.
For generating the JWT token used in App Service Authentication, you could follow How to: Use custom authentication for your application and the code under custom API controller CustomAuthController from adrian hall's book about Custom Authentication to create the JWT token.
更新:
对于应用程序服务身份验证"下的自定义身份验证方法,我只希望op利用EasyAuth提供的身份验证/授权.我对此方法进行了一些测试,发现它可以对我有效. Op可以将用户名和密码发送到HttpTrigger进行身份验证,然后HttpTrigger后端需要验证用户信息,并使用
For the custom authentication approach under App Service Authentication, I just want op to leverage the authentication / Authorization provided by EasyAuth. I have did some test for this approach and found it could work on my side. Op could send the username and password to the HttpTrigger for authentication, then the HttpTrigger backend need to validate the user info, and use Microsoft.Azure.Mobile.Server.Login package for issuing App Service Authentication token to the client, then the client could retrieve the token from the AuthenticationToken property. The subsequent requests against the protected APIs could look like as follows:
https://<your-funapp-name>.azurewebsites.net/api/<httpTrigger-functionName>
Header: x-zumo-auth:<AuthenticationToken>
注意:
对于这种方法,相关的HttpTrigger功能需要允许匿名访问,并且App Service Authentication还需要选择允许匿名请求"(无操作).否则,App Service身份验证和功能级别身份验证将同时验证请求.对于受保护的API,op需要手动添加System.Security.Claims.ClaimsPrincipal.Current.Identity.IsAuthenticated检查.
For this approach, the related HttpTrigger functions need to allow anonymous accessing and the App Service Authentication also needs to choose Allow Anonymous requests (no action). Otherwise, the App Service Authentication and function level authentication would both validate the request. For the protected APIs, op needs to manually add the System.Security.Claims.ClaimsPrincipal.Current.Identity.IsAuthenticated checking.
这篇关于结合使用具有Azure功能的JSON Web令牌(JWT)(不使用Active Directory)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
