AngularJS +的ASP.NET Web API + ASP.NET MVC认证 [英] AngularJS + ASP.NET Web API + ASP.NET MVC Authentication

问题描述

我是新来AngularJS并试图评估它为我的新的Web应用程序。

I am new to AngularJS and trying to evaluate it for my new web application.

我将有一个ASP.NET的Web API，它将会从Android，iPhone和从Web应用程序（ASP.NET MVC）也被消耗掉。 ASP.NET身份将在网页API来实现。所有这三个应用程序将调用Web API的登录方法来获得身份验证令牌。

I will have one ASP.NET Web API which will be consumed from an Android, an iPhone and from a web application (ASP.NET MVC) too. ASP.NET Identity will be implemented in Web API. All three applications will call the login method of Web API to get the auth token.

我的问题是如何让ASP.NET MVC的服务器端验证工作（与网页API同步，所以我不必登录为ASP.NET MVC分开），而角度进行呼叫获得HTML模板/视图，JavaScript文件或其他资源。我已经通过AngularJS许多文章和博客去了，但仍然无法找到可以完美融入我的需求的安全模型。

My problem is how to get ASP.NET MVC server side authentication work (in sync with Web API so I don't have to login for ASP.NET MVC separately) while Angular makes a call to get the HTML template/view, JavaScript files or other resources. I have went through many articles and blogs on AngularJS but still unable to find a security model which fits in my requirement.

难道是一个好主意，直​​接进行登录调用ASP.NET MVC应用程序而不是网页API和ASP.NET MVC应用程序将调用Web API登录，一旦认证，保存会话的身份验证令牌再加上创建一个 FormsAuthentication饼干和cookie数据保存加密身份验证令牌。而且设置在身份验证令牌NG-INIT 某处HTML有在AngularJS范围令牌。现在，当AngularJS尝试与ASP.NET MVC应用程序的调用来获得HTML，然后验证/通过匹配的cookie decryted在会话身份验证数据的数据授权的用户。此外，AngularJS将发送的验证令牌在头直接调用Web API方法通过网络API的所有后续调用数据操作。

Would it be a good idea to make the login call to ASP.NET MVC application instead of Web API directly, and ASP.NET MVC application would call the Web API to login, and once authenticated, save the auth token in session plus create a FormsAuthentication cookie and in cookie data save the encrypted auth token. Moreover set the auth token in ng-init somewhere in HTML to have the token in AngularJS scope. Now when AngularJS tries to make a call to ASP.NET MVC application to get HTML, then authenticate/authorize the user by matching the cookie decryted data with auth data in session. Also, AngularJS will send the auth token in header to call the Web API methods directly for all the subsequent calls for data manipulation through Web API.

推荐答案

我解决了这个问题一个非常两岸正解。我只是确信我在WebApiConfig的注册方法如下code的两行：

I solved the problem with a very strait forward solution. I just made sure I have following two lines of code in the Register method of WebApiConfig:

config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));

就是这样。现在我的MVC控制器寻找会话cookie进行授权，而我的Web API控制器查找每个请求的报头中的身份验证令牌。此外，该网页API发送一个令牌（JSON）和一个会话cookie本身响应于登录/认证请求例如的http：\\\\ www.mydomain.com \\令牌

所以，现在我把我的登录请求的Web API来获取令牌以及会话cookie。会话cookie将自动发送将每一个请求，所以我不担心我的MVC控制器的授权。对于Web API调用我送为每个请求为Web API控制器不关心会话cookie头中的身份验证令牌与请求被发送。

So now I send my login request to Web API to get the token as well as the session cookie. Session cookie will automatically be sent will each request so I don't have to worry about the authorization of my MVC controllers. For Web API calls I am sending the auth token in the header for each request as Web API controllers don't care about the session cookie being sent with the request.

这篇关于AngularJS +的ASP.NET Web API + ASP.NET MVC认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！