将Windows身份验证与OAuth 2.0结合使用 [英] Use Windows Authentication with OAuth 2.0
问题描述
我已经设置了一个OWIN授权服务器和几个公开ASP.NET Web API的资源服务器.我正在从特定于每个资源服务器的授权服务器提供一个JWT(这个想法是每个资源服务器都需要用其令牌包装的自定义声明).
I have set up an OWIN authorization server and several resource servers exposing ASP.NET Web APIs. I am serving up a JWT from the authorization server that is specific to each resource server (the idea being that each resource server needs custom claims wrapped up in its token).
这些服务器全部位于Intranet环境中,在该环境中,我们一直使用Windows身份验证(Kerberos)提供单点登录体验.由于我正在使用用户的用户名和密码(针对AD进行身份验证)来授予令牌,因此该功能在我的实现中已丢失.我想知道的是,是否有办法获得单点登录体验-也许通过在授予用户令牌之前使用Windows身份验证来建立用户的身份?
These servers are all in an intranet environment where we historically have used Windows Authentication (Kerberos) to provide a single sign-on experience. This feature has been lost in my implementation because I am using the user's username and password (authenticated against AD) to grant a token. What I am wondering is if there is a way to get a single sign-on experience back - maybe by using Windows Authentication to establish the identity of a user before granting them a token?
我觉得这有点不合常规,可能有些愚蠢-因此请告诉我,是否有更好的替代方法在Intranet环境中使用OAuth 2.0获取SSO.
I feel like this is somewhat unorthodox and might be dumb - so please tell me if there is a better, alternative approach to getting SSO with OAuth 2.0 in an intranet environment.
推荐答案
事实证明,这并不像我预期的那么难.我创建了一个替代端点(/token/windows/
)的标准Web API控制器.该端点采用HTTP POST,该HTTP POST带有Windows用户试图连接的客户端(资源)ID.我将标准的[Authorize]
属性放在操作上,以确保已建立身份,然后手动创建声明身份,并将JWT返回给用户.从那时起,用户将使用标准令牌刷新过程.
As it turns out, this wasn't as hard as I expected. I created a standard web API controller off of an alternative endpoint (/token/windows/
). This endpoint takes an HTTP POST with the client (resource) ID the Windows user is trying to connect to. I put the standard [Authorize]
attribute on the action to ensure that identity is established, then I manually create a claims identity and return a JWT to the user. From that point on the user uses the standard token refresh process.
编辑:下面是一个示例,该示例代表了我实施的示例.请注意,此应用程序已在IIS中配置为支持Windows身份验证(除了匿名身份验证):
Edit: here's a sample below that represents what I implemented. Note that this app is configured in IIS to support Windows Authentication (in addition to anonymous authentication):
[RoutePrefix("token/windows")]
public class WindowsAuthenticationController : ApiController
{
[Authorize]
[HttpPost]
[Route("{client_id}"]
public async Task<IHttpActionResult> CreateTokenForWindowsIdentity(string client_id)
{
var user = User as ClaimsPrincipal;
if (user == null) return Unauthorized(); //401
var claims = //generate claims based on the User.Identity.Name...
var identity = new ClaimsIdentity("JWT");
identity.AddClaims(claims);
//manually create JWT using whatever method you prefer,
//I used something inspired from http://bitoftech.net/2015/02/16/implement-oauth-json-web-tokens-authentication-in-asp-net-web-api-and-identity-2/
}
}
这篇关于将Windows身份验证与OAuth 2.0结合使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!