WebAPI 2的客户端身份验证 [英] Client Authentication for WebAPI 2
问题描述
我的公司已经编写了一个API,以将我们的应用程序数据公开给我们的客户.我们已经完成了端点,现在想保护API.该API仅由预先批准的客户端使用,因此不需要匿名访问.有人告诉我,我们可以使用生成的x.509证书来识别和认证每个客户端.通过标识,我的意思是将客户代码嵌入到我们颁发给每个客户的证书中(这是否可能?).如您所知,我在使用证书对客户端进行身份验证方面经验不足,这是一种可靠的方法吗?
My company has written an API to expose our application data to our clients. We've completed the endpoints and now want to secure the API. The API will only be used by pre-approved clients so no anonymous access is needed. I've been told that we can use an x.509 certificate that we generate to identify and authenticate each client. By identifying, I mean embedding a client code in the certificate that we issue to each client (is this even possible?). As you can probably tell I have little experience in authenticating clients with certs, is this a solid approach?
推荐答案
这是用于身份验证和授权客户端的非常棘手"的选项.它功能强大,但实施起来可能会非常昂贵,因为您必须管理完整的 PKI (公钥基础结构),则您必须安全地分发证书给您的客户.
This is a very "tricky" options for authenticating and authorizing clients. It's very powerful, but could be very expensive to implement because you have to manage a full PKI (public key infrastructure) and you have to distribute securely the certificats to your clients.
1)您需要适当的SSL,并且需要强制实施SSL(甚至可以在全球范围内强制实施):
1) You need SSL in place and you need to enforce it (even globally if you want):
public class RequireHttpsAttribute : AuthorizationFilterAttribute
{
public override void OnAuthorization(HttpActionContext actionContext)
{
if (actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
ReasonPhrase = "HTTPS Required"
};
}
else
{
base.OnAuthorization(actionContext);
}
}
}
public class ValuesController : ApiController
{
[RequireHttps]
public HttpResponseMessage Get() { ... }
}
2)您需要将IIS配置为通过application.host配置或使用IIS管理器控制台来接受客户端证书:
2) You need to configure IIS to accept client certificates througt the application.host config or using the IIS manager console:
<system.webServer>
<security>
<access sslFlags="Ssl, SslNegotiateCert" />
<!-- To require a client cert: -->
<!-- <access sslFlags="Ssl, SslRequireCert" /> -->
</security>
</system.webServer>
3)在服务器端,可以通过在请求消息上调用GetClientCertificate来获取客户端证书.如果没有客户端证书,则该方法返回null.否则,它将返回X509Certificate2实例.使用此对象可从证书中获取信息,例如颁发者和主题.然后,您可以使用此信息进行身份验证和/或授权.
3) On the server side, you can get the client certificate by calling GetClientCertificate on the request message. The method returns null if there is no client certificate. Otherwise, it returns an X509Certificate2 instance. Use this object to get information from the certificate, such as the issuer and subject. Then you can use this information for authentication and/or authorization.
X509Certificate2 cert = Request.GetClientCertificate();
string issuer = cert.Issuer;
string subject = cert.Subject;
Check this article of Mike Watson for full reference (I gave you an extract here).
这是一个可靠的方法吗?
is this a solid approach?
是的,但是如您所见,请牢记PKI的缺点.最终,您可以实现OAuth2身份验证,该身份验证也非常强大,并且可以轻松地基于外部提供程序(例如Azure AD).检查本文以获取更多详细信息.顺便说一句,您也可以从基本的MVC/API模板开始.
Yes it is, but as you saw as the PKI drawback to keep in mind. Eventually you can implement OAuth2 auth which is also extremely powerful and you can easely base it on an external provider, for exaple Azure AD. Check this article for more details. BTW, you can also start from the basic MVC/API template.
这篇关于WebAPI 2的客户端身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
