使用NancyFx,OWIN和JWT进行无状态身份验证 [英] Stateless authentication with NancyFx, OWIN and JWT
问题描述
我有一个OWIN自托管应用程序,该应用程序的前端可以供用户注册.Nancyfx负责路由和模型的逻辑,在文档中,我看到了Nancyfx带有3种身份验证.
I have a OWIN self-hosted application which has a front-end where users can sign up. Nancyfx does the logic for routing and Models, and in the documentation I saw that Nancyfx comes with 3 types of authentication.
- 表格(
Nancy.Authentication.Forms) - 基本(
Nancy.Authentication.Basic) - 无状态(
Nancy.Authentication.Stateless)
I've settled on the Stateless Authentication, and following this example I tried to set up a basic form of authentication.
我想在此方面做进一步的扩展,使用JWT来获得一些基本信息,并作为一种基本身份验证的形式(例如,客户端具有令牌,因此他已被验证.),但这是我遇到的一些问题.
I wanted to expand further on this, using JWT to have some basic info handy and as a form of basic authentication (e.g. client has token so he's verified.), but this is where I run into a few problems.
- 我验证
Home->的方式登录->重定向成功会导致我的Response.Header.Authorization被清除,不允许我在自定义的Bootstrapper中捕获令牌.
- The way I authenticate
Home -> login -> redirect upon successcauses my Response.Header.Authorization to be cleared, not allowing me to catch the token in my custom Bootstrapper.
代码:
protected override void RequestStartup(TinyIoCContainer requestContainer, IPipelines pipelines, NancyContext context)
{
AllowAccessToConsumingSite(pipelines);
StatelessAuthentication.Enable(pipelines, requestContainer.Resolve<IStatelessAuthConfigurationFactory>().Config());
}
//Returns ClaimsPrincipal or Null;
public StatelessAuthenticationConfiguration Config()
{
if(_stat == null)
{
_stat = new StatelessAuthenticationConfiguration(VerifyToken);
}
return _stat;
}
-
由于我的授权标头在每个请求中均消失,因此我需要保留JWT.我认为可以在OWIN环境或Nancy上下文中使用,但这是明智的选择+对于多用户环境在安全性方面会有什么影响.
Since my authorization header disappears every request, I would need to persist the JWT. I figure it's possible using OWIN environment or Nancy context, but would this be advisable + what would the effect be for a multi-user environment regarding security.
OWIN拥有我自己可以使用的身份验证管理器,我已经对其进行了试验,但是它倾向于在成功登录后提供cookie,但似乎在注销时不会撤销.我总体上遇到了一些问题,因此我决定使用NancyFx身份验证.(我想这不是一般问题,实际上不是问题)
OWIN has it's own authentication Manager that I could use, I've experimented with it, but it tends to provide a cookie upon successful sign in, which it doesn't seem to revoke on Logout. I just ran into a few issues overall with it, so I settled on NancyFx authentication. (not really a problem as a more general remark I suppose)
在此先感谢您的帮助!
推荐答案
关于(1),如果成功登录后滚动自己的重定向,请考虑在重定向过程中设置Authorization标头,例如
Regarding (1), if you roll your own redirection after a successful login, consider setting the Authorization header during the redirect, e.g.
return Response.AsRedirect("/").WithHeader("Authorization", token);
在身份验证之后,持有有效的JWT令牌实际上是客户端的责任.以cookie形式返回(并在注销时将其删除)可以简化客户端实现,并避免令牌持久性问题.
It's actually the responsibility of the client to hold the valid JWT token after authentication. Returning it as a cookie (and deleting it upon logout) could make things easier in terms of client-side implementation and avoid the token persistence issue.
关于(2),不是真的,这不是必需的.JWT令牌是独立的,这就是为什么它们在无状态身份验证场景中很有用的原因.
Regarding (2), not really, it's not necessary. JWT tokens are self-contained, and that's why they're useful in stateless auth scenarios.
这篇关于使用NancyFx,OWIN和JWT进行无状态身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
