ASP.NET Web API 2-如何为SPA应用程序实现OAuth2.0 [英] ASP.NET Web API 2 - How to implement OAuth2.0 for SPA applications

问题描述

我正在尝试实现WEB API 2(用于Single Page App，不是Visual Studio项目的一部分)OAuth2.0协议.根据我应该使用哪个OAuth 2.0流程，使用刷新令牌不是一种选择.但是，我不确定我是否了解最终的静默身份验证的隐式授予流程.

I am trying to implement WEB API 2 (for Single Page App, not as part of Visual Studio project) OAuth2.0 protocol. As per Which OAuth 2.0 flow should I use, using refresh tokens is not an option. However, I am not sure I understand Implicit Grant flow with eventual Silent Authentication.

隐式流是否仅意味着发行普通访问令牌?在这种情况下，我们如何允许用户长时间保持登录状态?静默身份验证端点应该是什么样子，它应该接收并返回给客户端什么?使用刷新令牌确实是一个问题-大多数人的用户名/密码保存在浏览器中吗?

Does Implicit Flow mean only issuing normal access tokens? In that case, how do we allow user to stay logged in for long time? How should Silent Authentication endpoint look like, what should it receive and return to client? Is using refresh token really an issue - most of people have their usernames / passwords saved in browser?

推荐答案

隐式流是否仅意味着发行普通访问令牌?是的.

Does Implicit Flow mean only issuing normal access tokens? Yes.

在这种情况下，我们如何允许用户长时间保持登录状态?您可以使用"expires_in"参数设置超时.

In that case, how do we allow user to stay logged in for long time? You can set timeout using "expires_in" parameter.

有关完整详细信息，请参见此处: https://oauth2.thephpleague.com/授权服务器/隐式授予/

Refer for Complete Detail here: https://oauth2.thephpleague.com/authorization-server/implicit-grant/

静默身份验证端点应该是什么样子，它应该接收并返回给客户端什么?在登录期间对用户进行身份验证后，服务器会发送&在会话/浏览器中设置身份验证密钥.因此，在每个页面调用期间，仅身份验证密钥被发送到服务器.您会在网上找到许多实施示例.

How should Silent Authentication endpoint look like, what should it receive and return to client? Upon authentication of the user during login, the server sends & set the authentication key in the session/browser. So, during every page call, only authentication key is send to server. You shall find many examples of implementation online.

使用刷新令牌确实是一个问题-大多数人的用户名/密码保存在浏览器中吗?不，这不是问题.如果令牌过期，您可以在身份验证后轻松地重新发行令牌.密码和用户名未保存在浏览器中.仅存储身份验证密钥.

Is using refresh token really an issue - most of people have their usernames / passwords saved in browser? No, it's not an issue. If token expires, you can easily reissue token after authentication. Password & username is not saved in the browser. Only authentication key is stored.

这篇关于ASP.NET Web API 2-如何为SPA应用程序实现OAuth2.0的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！