将Windows身份验证与OAuth 2.0结合使用 [英] Use Windows Authentication with OAuth 2.0

问题描述

我已经设置了一个OWIN授权服务器和几个公开ASP.NET Web API的资源服务器.我正在从特定于每个资源服务器的授权服务器提供一个JWT(这个想法是每个资源服务器都需要用其令牌包装的自定义声明).

I have set up an OWIN authorization server and several resource servers exposing ASP.NET Web APIs. I am serving up a JWT from the authorization server that is specific to each resource server (the idea being that each resource server needs custom claims wrapped up in its token).

这些服务器全部位于Intranet环境中，在该环境中，我们一直使用Windows身份验证(Kerberos)提供单点登录体验.由于我正在使用用户的用户名和密码(针对AD进行身份验证)来授予令牌，因此该功能在我的实现中已丢失.我想知道的是，是否有办法获得单点登录体验-也许通过在授予用户令牌之前使用Windows身份验证来建立用户的身份?

These servers are all in an intranet environment where we historically have used Windows Authentication (Kerberos) to provide a single sign-on experience. This feature has been lost in my implementation because I am using the user's username and password (authenticated against AD) to grant a token. What I am wondering is if there is a way to get a single sign-on experience back - maybe by using Windows Authentication to establish the identity of a user before granting them a token?

我觉得这有点不合常规，可能有些愚蠢-因此请告诉我，是否有更好的替代方法在Intranet环境中使用OAuth 2.0获取SSO.

I feel like this is somewhat unorthodox and might be dumb - so please tell me if there is a better, alternative approach to getting SSO with OAuth 2.0 in an intranet environment.

推荐答案

事实证明，这并不像我预期的那么难.我创建了一个替代端点(/token/windows/)的标准Web API控制器.该端点采用HTTP POST，该HTTP POST带有Windows用户试图连接的客户端(资源)ID.我将标准的[Authorize]属性放在操作上，以确保已建立身份，然后手动创建声明身份，并将JWT返回给用户.从那时起，用户将使用标准令牌刷新过程.

As it turns out, this wasn't as hard as I expected. I created a standard web API controller off of an alternative endpoint (/token/windows/). This endpoint takes an HTTP POST with the client (resource) ID the Windows user is trying to connect to. I put the standard [Authorize] attribute on the action to ensure that identity is established, then I manually create a claims identity and return a JWT to the user. From that point on the user uses the standard token refresh process.

编辑:下面是一个示例，该示例代表了我实施的示例.请注意，此应用程序已在IIS中配置为支持Windows身份验证(除了匿名身份验证):

Edit: here's a sample below that represents what I implemented. Note that this app is configured in IIS to support Windows Authentication (in addition to anonymous authentication):

[RoutePrefix("token/windows")]
public class WindowsAuthenticationController : ApiController
{
    [Authorize]
    [HttpPost]
    [Route("{client_id}"]
    public async Task<IHttpActionResult> CreateTokenForWindowsIdentity(string client_id)
    {
        var user = User as ClaimsPrincipal;
        if (user == null) return Unauthorized(); //401
        var claims = //generate claims based on the User.Identity.Name...
        var identity = new ClaimsIdentity("JWT");
        identity.AddClaims(claims);

        //manually create JWT using whatever method you prefer,
        //I used something inspired from http://bitoftech.net/2015/02/16/implement-oauth-json-web-tokens-authentication-in-asp-net-web-api-and-identity-2/
    }
}

这篇关于将Windows身份验证与OAuth 2.0结合使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！