如何在.net核心Web应用程序和Web API之间传递/验证Open ID令牌? [英] How to pass/verify Open ID token between .net core web app and web api?
问题描述
我们具有以下架构:
- 使用剃须刀页面,jQuery等作为UI的.NET Core 3.1 Web应用程序(不是角度应用程序)
- .net核心3.1 Web api应用程序充当我们的api层
- Okta作为我们的身份提供者
我已经在Web应用程序中实现了Okta小部件和中间件.用户可以登录,然后发生这种情况,我可以获取ClaimsPrincipal,访问其所有范围并访问我通过开放ID存储的任何自定义配置文件数据.我可以通过[授权]装饰来保护视图.所有这些都运行良好.
I have implemented the Okta widget and middleware in the web application. Users can login, and after that happens I’m able to get a ClaimsPrincipal, access all of their scopes, and get to any custom profile data I’ve stored via open id. I'm able to secure views through the [Authorize] decoration. All that is working perfectly.
我现在需要做的是在API端实现安全性检查.我花了数小时的时间来研究示例,发现了很多示例,但是我要么遗漏了一些明显的东西,要么我正在做的事情是独一无二的(而且我无法想象我正在做的事情是独一无二的).基本上我需要做的是:
What I need to do now is implement the security checks on the API side. I’ve spent hours and hours looking at examples and have found many, but I'm either missing something obvious or what I'm doing is unique (and I can't imagine that what I'm doing is that unique). Basically what I need to do is:
- 已让网络应用将auth和id令牌传递给api
- 让api能够验证令牌,然后从id令牌中解密用户信息
然后,这将允许我在API方面实现必要的安全性逻辑.假设它的API返回客户订单-那么我需要确保调用它的用户是管理员或实际客户(因此,我不会将客户数据返回给不应该看到的人).我已经弄清了所有角色,但我一生无法弄清楚如何通过令牌确定某人是谁?
This would then allow me to implement the necessary security logic on the API side. Let’s say its the API that returns customer orders - well I need to make sure that the user calling it is either an administrator or is the actual customer (so I don’t return customer data to someone who shouldn’t see it). I have all the role stuff figured out, I just can’t, for the life of me, figure out how to determine who someone is via the token?
传递令牌非常简单,但是如何将令牌从ClaimsPrincipal对象中取出呢?还是我需要在用户登录后调用Okta API来专门获取访问和ID令牌?
Passing the tokens is pretty straightforward, but how would I get the token out of the ClaimsPrincipal object? Or do I need to call the Okta API after the user logs in to specifically get the access and id tokens?
然后,我当然必须弄清楚如何使API端正确验证和解析发送的令牌.
Then of course I'll have to figure out how to get the API side to properly validate and parse the token that is sent.
如果有人可以帮助我入门或以正确的方向为例,我将非常感激.至此,我已经阅读了所有有关Owin,OpenID,Okta,.net核心中的授权的文章,我可以找到.
If anyone could help me get started with this or point me in the right direction for an example, I would be very appreciative. At this point I have read every article on Owin, OpenID, Okta, authorization in .net core I could find.
推荐答案
您的ID提供程序(本例中为Okta)将颁发OpenID Connect授权承载令牌,您需要将其传递给要保护的任何应用程序.
Your ID Provider, Okta in this case, will issue an OpenID Connect authorization bearer token that you will need to pass along to any application that you want to protect.
在应用程序的Web Api端,您将需要注册中间件来处理Okta的OpenID Connect令牌.然后,您可以使用[Authorize]装饰控制器/动作,并可以检查身份声明.
On the Web Api side of your application, you will need to register your middleware for handling processing of Okta's OpenID Connect tokens. Then you can decorate your controllers/actions with [Authorize] and you can check an identity's claims.
这篇关于如何在.net核心Web应用程序和Web API之间传递/验证Open ID令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
