如何使用ServiceStack作为OAuth2.0的资源服务器来构建安全的api？ [英] How to build secured api using ServiceStack as resource server with OAuth2.0?

问题描述

我已经使用 dotnetopenauth 构建了一个OAuth2.0授权服务器，该服务器将管理身份验证，授权和分配调用方的accessToken。调用方将使用访问令牌访问资源服务器上的api（网络服务）。
如果遵循Resource Server中dotnetopenauth提供的示例，则可以通过 OAuthAuthorizationManager

I have build a OAuth2.0 Authorization server using dotnetopenauth that will manage authentication, authorization, and assign accessToken to the caller. The caller will use the access token to access the api (webservices) at resource server. If follow the sample provided by dotnetopenauth in Resource Server, api that builded using WCF can be authenticated by OAuthAuthorizationManager

如果使用ServiceStack在Resource Server中构建我的api，如何构建验证过程基于分配的OAuth2.0访问令牌的传入api请求？该功能应与dotnetopenid示例中的OAuthAuthorizationManager类似，并且不基于登录会话。

If using ServiceStack to build my api in Resource Server, how to build the authentication process that verify the incoming api request based on assigned OAuth2.0 access token? The functionality should similar to OAuthAuthorizationManager in the dotnetopenid sample and not based on login session.

推荐答案

只需一些更新

我没有使用<$ c $中的 AuthenticateAttribute 或 RequiredRoleAttribute c> ServiceStack.ServiceInterface 。

I didn't use the AuthenticateAttribute or RequiredRoleAttribute from ServiceStack.ServiceInterface.

我创建2个自定义 RequestFilterAttribute 来替换功能由 AuthenticateAttribute 和 RequiredRoleAttribute 提供。

I create 2 custom RequestFilterAttribute to replace the functions provided by AuthenticateAttribute and RequiredRoleAttribute.

在每个自定义中 RequestFilterAttribute 的 Execute 方法，我在dotnetopenauth中使用方法来验证访问令牌。

In each custom RequestFilterAttribute's Execute method, I'm using method in dotnetopenauth to verify the access token.

//httpReq==req from Execute(IHttpRequest req, IHttpResponse res, object requestDto)

访问令牌验证的代码如下，有关更多信息，请参考servicestack和dotnetopenauth的相关文档。 ResourceServer是dotnetopenauth的类

The code for the access token verification as following, reference the relevant documentation from both servicestack and dotnetopenauth for more info. ResourceServer is class from dotnetopenauth

HttpRequestBase reqBase = new HttpRequestWrapper((System.Web.HttpRequest)httpReq.OriginalRequest);

var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(AuthorizationServerPublicKey, ResourceServerPrivateKey));

IPrincipal ip = null;
resourceServer.VerifyAccess(reqBase, out ip);

如果 ip 为 null 然后未通过身份验证，如果不是 null ，则传入请求有效，并且可以使用 ip 检查角色，例如 ip.IsInRole（requiredRole）

If the ip is null then not authenticated, if not null, the incoming request is valid and can use the ip to check the role e.g. ip.IsInRole(requiredRole)

我不确定这是否是正确的检查方法，但对我有用。任何更好的解决方案都欢迎。

I'm not sure this is the correct way to do the checking or not, but it's works for me. Any better solution are welcome.

这篇关于如何使用ServiceStack作为OAuth2.0的资源服务器来构建安全的api？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！