MVC 5,Identity 2.0 Android Rest/Json Api [英] MVC 5, Identity 2.0 Android Rest/Json Api
问题描述
我有一个ASP.NET MVC 5应用程序,该应用程序使用Identity 2.0进行身份验证/授权.现在,我想通过Web Api 2.0向我的Android应用程序提供对Web应用程序中数据的访问.
I have an ASP.NET MVC 5 Application which uses Identity 2.0 for authentication/authorisation. Now I want to provide access to the data in my web application to my Android Application via Web Api 2.0.
我的问题是:如何控制对我的android应用程序的访问进行授权/身份验证?
My question is: How to control authorize/authenticate the access of my android application?
在Android方面,我使用"org.springframework.web.client.RestTemplate",并将此HTTP标头添加到我的请求中:
On Android side I use "org.springframework.web.client.RestTemplate" and add this HTTP header to my request:
HttpAuthentication authHeader = new HttpBasicAuthentication("username", "password");
HttpHeaders requestHeaders = new HttpHeaders();
requestHeaders.setAuthorization(authHeader);
HttpEntity<?> requestEntity = new HttpEntity<Object>(requestHeaders);
我应该只创建一个过滤器还是HttpModule,在其中分析HTTP标头,然后查询数据库以检查是否存在该用户?
Should I just create a Filter or an HttpModule, analyse the HTTP Header there and query the DB to check if there is an existing user for that?
对我来说,它很清楚如何在HTML/Javascript前端上工作.每次成功登录后都会使用一个cookie,该cookie用于所有后续调用,但是对我的android应用而言,最佳策略是什么?
It is clear for me how it works on the HTML/Javascript frontend. There is a cookie used after each successful login, which is used for all subsequent calls, but what is the best strategy for my android app?
更新: 找到了这两个链接,但是我不确定是否应该这样做: http://springinpractice.com/2012/04/08/sending-cookies -with-resttemplate http://blog.mikepearce.net/2010/08/24/cookies-and-the-restful-api/
Update: Found these two links, but I'm not sure if I should go this way: http://springinpractice.com/2012/04/08/sending-cookies-with-resttemplate http://blog.mikepearce.net/2010/08/24/cookies-and-the-restful-api/
推荐答案
您可以根据您的建议,为 WebApi 控制器创建 Filter ,以授权和验证访问权限从您的客户端应用程序.这是博客文章可能会帮助您实现这样的事情.
You can, as you suggested, create a Filter for your WebApi controllers to authorize and authenticate access from your client application. Here is a blog post that may help you implement such a thing.
但是,我建议使用 Oauth 标准定义的访问令牌.这种身份验证和授权方法非常适合移动应用程序.您可以创建长寿命访问令牌,以使您的移动客户端应用登录与长寿命cookie和浏览器客户端类似.或者,您可以使用寿命短的访问令牌和寿命长的刷新令牌.同样,也没有什么可以阻止您将 Oauth 与浏览器客户端一起使用,从而为您提供单个auth实现.在令牌和Oauth 上,这是一个很好的SO答案.
However, I suggest using access tokens as defined by the Oauth standard. This method of authentication and authorization is very well suited for mobile applications. You can create long life access tokens that keep your mobile client app logged in similarly to long life cookies and a browser client. Or you could use short life access tokens and long life refresh tokens. Also there is nothing stopping you from using Oauth with browser clients either, giving you a single auth implementation. Here is a great SO answer on tokens and Oauth.
看看 IdentityServer 以下内容来自其Github存储库:
Have a look at IdentityServer the following blurb is from their Github repository:
IdentityServer是一个基于.NET/Katana的框架和可托管组件 允许实现现代的单点登录和访问控制 使用OpenID Connect和 OAuth2.它支持广泛的客户,例如移动,网络,SPA和 桌面应用程序,并且可扩展以允许在新的和 现有架构.
IdentityServer is a .NET/Katana-based framework and hostable component that allows implementing single sign-on and access control for modern web applications and APIs using protocols like OpenID Connect and OAuth2. It supports a wide range of clients like mobile, web, SPAs and desktop applications and is extensible to allow integration in new and existing architectures.
这篇关于MVC 5,Identity 2.0 Android Rest/Json Api的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
