具有可选身份验证/授权的ASP.NET Core [英] ASP.NET Core with optional authentication/authorization

问题描述

我想构建一个基于ASP.NET Core的WebApi来访问数据库中的数据.该WebApi可以通过两种方式使用，既可以用作需要身份验证的公共WebApi，也可以用作Web应用程序的私有后端服务.在后一种情况下，不需要身份验证，因为只有经过身份验证的用户才能访问该Web应用程序，并且Web应用程序和WebApi都将在同一台计算机上运行，​​而WebApi将被隐藏在外部.

I want to build an ASP.NET Core based WebApi for accessing data from a database. This WebApi could be used in two ways, either as a public WebApi which would need authentication or as a private backend service for a web application. In the latter case there would be no need for authentication since only authenticated users can access the web application and both web application and WebApi will run on the same computer, the WebApi will be hidden to the outside.

由于第一种情况需要身份验证，因此我将使用Authorize属性标记所有公共API.但是对于私人场景，我想绕过任何身份验证.

Since we need authentication for the first scenario, I will have all public APIs tagged with the Authorize attribute. But for the private scenario I would like to bypass any authentication.

根据配置中的某些标志，有什么方法可以使身份验证成为可选选项?

Is there any way I could make authentication optional depending on some flag in the configuration?

更新

谈到两个使用场景，我的意思是两个完全独立的安装！每个都有自己的配置文件.是否需要验证的决定是在单个安装中针对每个安装而不是针对每个请求！我的目标是在配置中只有一个代码库和一个开关.

speaking of two usage scenarios I mean two completely separate installations! Each one has its own configuration file. The decision whether authentication is needed is to made per installation not per request in a single installation! My goal is to have just one code base and a switch in the configuration.

推荐答案

如果绕过身份验证，如何区分对api的内部或公共请求?这会导致安全错误.因此，您不应该绕过身份验证.

If you bypass authentication, how do you distinguish internal or public requests for api? This causes security bug. So you shouldn't bypass authentication.

如果在mvc应用程序中使用openidconnect身份验证，则可以设置SaveTokens=true.它使您可以将访问令牌存储在cookie中.在mvc操作中调用api时，可以将此access_token发送给api.

If you use openidconnect authentication in mvc application then you can set SaveTokens=true. It enables you to store access token in cookie. When you call api in mvc action you can send this access_token to api.

另一种使用两种不同身份验证中间件的方式，一种用于内部，另一种用于公共访问(这很难实现).

Another way using two different authentication middleware, one for internal another for public access(This is hard to implement).

我会采用第一种方法.

I would go with first approach.

更新

要实现您的目标，我想到了一个棘手的方法，但是我不确定这是一个好方法:

To achieve your goal, a tricky way is coming to my mind but i am not sure it is good way:

创建过滤器提供程序:

public class EncFilterProvider : IFilterProvider
{
    public int Order
    {
        get
        {
            return -1500;
        }
    }

    public void OnProvidersExecuted(FilterProviderContext context)
    {
    }

    public void OnProvidersExecuting(FilterProviderContext context)
    {
        // remove authorize filters
        var authFilters = context.Results.Where(x => 
           x.Descriptor.Filter.GetType() == typeof(AuthorizeFilter)).ToList();
        foreach(var f in authFilters)
            context.Results.Remove(f);
    }
}

然后根据配置值有条件地注册它

Then register it conditionally based on config value

  public void ConfigureServices(IServiceCollection services)
  {
      if(config["servermode"] = "internal")
      {
          services.AddScoped<IFilterProvider, EncFilterProvider>();
      }
   }

这篇关于具有可选身份验证/授权的ASP.NET Core的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！