如何在.net(Web api 2 + owin)中为不同的身份验证设置混合授权 [英] How do you setup mixed authorizations for different authentications in .net (web api 2 + owin)
问题描述
我对.net还是很陌生,我正在尝试创建一个restfull服务,您可以在其中通过OAuth2对诸如facebook之类的服务进行身份验证,也可以使用普通帐户"登录. VS2013的SPA模板使我能够快速轻松地执行此操作,对此我感到非常满意.
I am fairly new to .net and I am trying to create a restfull service where you can authenticate via OAuth2 to a service like facebook and also be able to login with a "normal account". The SPA template from VS2013 allowed me to do this quickly and easily and I am very happy with it.
现在,我面临着另一个问题.我似乎无法找到一种方法来分隔对这些不同类型的登录名的访问.例如,我想仅允许来自oauth身份验证方法的用户访问X,并且以正常方式"(也带有承载令牌)进行身份验证的用户只能看到Y.
Right now I am facing a different problem. I can't seem to find a way to separate access for these different types of logins. For example, I want to allow only users from the oauth authentication method to access X and users that authenticated in the "normal way" (also with a bearer token) to be able to see only Y.
我搜索了网络,似乎应该使用[Authorize]标记,但是我不确定如何自定义它,也不知道如何区分不同的登录名. 我发现了自定义标签的不同方法,但是似乎没有一种方法有效,并且我一直陷于过时的解决方案中.
I searched the web and it seems that I should be using the [Authorize] tag but I am not sure how to customize it nor differentiate between different logins. I found different methods of customizing the tag but none seem to be working and I keep stumbling into solutions that are out of date.
任何人都可以帮忙吗?
谢谢!
我的最终解决方案(感谢0leg)
My final solution (thanks to 0leg)
为每种身份验证类型创建一个授权标签:
Created an authorize tag for each authentication type:
public class AuthorizeExternalsOnly : AuthorizeAttribute
{
protected override bool IsAuthorized(System.Web.Http.Controllers.HttpActionContext actionContext)
{
if (System.Web.HttpContext.Current.User.Identity.IsAuthenticated)
{
string externalClaim = "";
try
{
externalClaim = (actionContext.ControllerContext.RequestContext.Principal.Identity as ClaimsIdentity).Claims.FirstOrDefault(x => x.Type == ClaimTypes.Authentication).Value;
}
catch (NullReferenceException)
{
Debug.WriteLine("no external claim found");
}
if (externalClaim != "")
{
return base.IsAuthorized(actionContext);
}
return false;
}
return false;
}
}
然后在帐户控制程序中,在 GetExternalLogin
At the account controler I then added the claim's at GetExternalLogin
oAuthIdentity.AddClaim(new Claim(ClaimTypes.Authentication, "External"));
(...)
identity.AddClaim(new Claim(ClaimTypes.Authentication, "External"));
每次登录之前.
推荐答案
您可以创建一个Claim来定义您的用户类型(内部,facebook等).然后创建一个自定义的Authorize属性以做出授权决定.
You can create a Claim to define your user type (internal, facebook, etc). Then create a custom Authorize attribute to make the authorization decision.
Look at this, this and this links for some background info.
自定义Authorize属性的代码示例. HttpActionContext参数使您可以查看调用的控制器和操作.它还使您可以检查用户的Claims集合.逐步完成针对不同登录方案的代码,您将有不同的主张.然后,您可以确定您的Controller.Action是否被授权用于特定的索赔值.
Code sample for custom Authorize attribute. HttpActionContext parameter lets you see what controller and action you called. It also lets you inspect the Claims collection for your user. Step through the code for the different login scenarios, you'll have different claims. Then you can decide whether your Controller.Action is authorized for a particular claim value.
protected override bool IsAuthorized(System.Web.Http.Controllers.HttpActionContext actionContext)
{
ActionName = actionContext.ActionDescriptor.ActionName,
ControllerName = actionContext.ControllerContext.ControllerDescriptor.ControllerName,
Claims = (actionContext.RequestContext.Principal.Identity as ClaimsIdentity).Claims.ToList()
}
这篇关于如何在.net(Web api 2 + owin)中为不同的身份验证设置混合授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
