WebAPI项目可以托管多个API吗? [英] Can WebAPI project host multiple APIs?
问题描述
忽略用户并专注于客户端-为了保护ID4的WebAPI项目,您可以添加令牌身份验证中间件,然后:
Ignoring the user and focusing on the client - in order to secure a WebAPI project with ID4 you can add the token authenitcation middleware and then:
.AddIdentityServerAuthentication(options =>
{
options.Authority = "http://localhost:5000";
options.RequireHttpsMetadata = false;
options.ApiName = "api1";
});
是否可以使用相同的WebAPI项目来保护其他API?
Is it possible to use the same WebAPI project to secure an additional API?
.AddIdentityServerAuthentication(options =>
{
options.Authority = "http://localhost:5000";
options.RequireHttpsMetadata = false;
options.ApiName = "api2";
});
或者ResourceAPI和"WebAPI宿主项目"之间的比例是1:1?
Or is the ratio between ResourceAPI and a "WebAPI host project" 1 to 1?
基本上,在客户端级别,我很好奇您是否可以为不同的客户端创建多个API但使用相同的WebAPI宿主项目.
Basically, at the client level I was curious if you could create multiple APIs for different clients but use the same WebAPI host project.
推荐答案
让我们将资源视为需要保护的逻辑源.
Let's consider a resource to be a logical source that needs to be protected.
这意味着该资源未绑定到一个WebApi,但是WebApi被绑定到一个资源.您可以创建一组WebApi,它们一起构成资源.或者,您可以将完整的源代码简单地添加到一个WebApi中.
This means that the resource isn't bound to one WebApi, but the WebApi is bound to one resource. You can create a group of WebApi's that together form the resource. Or you can simply add the complete source to one WebApi.
然后将多个资源放入一个WebApi中是没有意义的.如果它不属于资源,则创建单独的WebApi.
It then makes no sense to put multiple resources into one WebApi. If it doesn't belong to the resource then create seperate WebApi's.
但是,如果它确实属于同一资源,并且您希望将资源划分为逻辑部分,请改用 scopes .
However, if it does belong to the same resource and you want to divide the resource in logical parts, then use scopes instead.
您可以将多个范围添加到一个资源:
You can add multiple scopes to one resource:
resource = Api0
scope = Api1.Read
scope = Api1.Write
scope = Api2.Read
scope = Api2.Write
请注意,我使用"Api0"作为资源名称(options.ApiName).其中ApiX可能是每个客户端的逻辑分区.
Please note that I used 'Api0' as the resource name (options.ApiName). Where ApiX may be a logical division per client.
现在,我可以创建单独的WebApi,它们属于同一资源(它们都具有options.ApiName = "Api0")或一个WebApi.
Now I can create seperate WebApi's that are part of the same resource (they all have options.ApiName = "Api0"), or one WebApi.
在单独的Api的情况下,每个Api都实现一个作用域,我可以使用这样的内容:
In case of seperate Api's, where each Api implements one scope, I can use something like this:
services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
options.Authority = "http://localhost:5000";
options.RequireHttpsMetadata = false;
options.ApiName = "Api0";
options.JwtBearerEvents = new JwtBearerEvents
{
OnTokenValidated = context =>
{
if (!context.Principal.HasClaim("scope", "Api1.Read"))
context.Fail("Invalid Scope");
return Task.CompletedTask;
}
};
});
当一个WebApi具有多个作用域时,我可以使用策略:
While in case of one WebApi with multiple scopes I can use Policies:
services.AddMvcCore()
...
.AddAuthorization(p =>
{
p.AddPolicy("Api1.Read", (policy) => policy.RequireScope("Api1.Read"));
p.AddPolicy("Api1.Write", (policy) => policy.RequireScope("Api1.Write"));
p.AddPolicy("Api2.Read", (policy) => policy.RequireScope("Api2.Read"));
p.AddPolicy("Api2.Write", (policy) => policy.RequireScope("Api2.Write"));
});
可以在哪里使用AuthorizeAttribute:
Where you can use the AuthorizeAttribute:
[Authorize("Api1.Read")]
请注意,范围!=资源.客户端请求一个或多个范围,例如"Api1.Read Api1.Write",但是该资源通过名称(audience = Api0)进行了验证.
Please note that scope != resource. The client requests one or more scopes, e.g. "Api1.Read Api1.Write", but the resource is validated by the name (audience=Api0).
事件,策略,中间件可以用于更细粒度的授权.
The events, policies, middleware can be used for finer grained authorization.
这篇关于WebAPI项目可以托管多个API吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
