如何在Xamarin Forms中保护MobileServiceClient的Azure App Service端点? [英] How do I secure Azure App Service end-point for MobileServiceClient in Xamarin Forms?
问题描述
我有一个使用 Auth0 https://auth0.com/的应用作为登录提供商,可以通过多个提供商(Facebook,LinkedIn,Google,MS和Apple)登录.这一切都发生在客户端,我从相关服务获取了ID和访问令牌.没有错误.
I have an app that uses Auth0 https://auth0.com/ as the login provider and can login through multiple providers - Facebook, LinkedIn, Google, MS and Apple. This all happens client-side and I get the id and access tokens from the relevant service. No errors.
然后,我的应用程序使用Microsoft.WindowsAzure.MobileServices API连接到Azure App Services我使用它来创建与服务的连接:
My app then connects to Azure App Services using the Microsoft.WindowsAzure.MobileServices API I use this to create the connection to the service:
client = new MobileServiceClient(https://mycompany.azurewebsites.net);
然后,该应用程序可以在本地SQLite数据库和我的Azure SQL数据库之间同步数据.所有这些工作,没有错误.
The app can then sync data between the local SQLite db and my Azure SQL db. This all WORKS, no errors.
问题-终结点 https://mycompany.azurewebsites.net 设置为具有匿名访问权限,但没有安全的.
PROBLEM - the endpoint https://mycompany.azurewebsites.net is set with anonymous access and is not secured.
我可以启用App Service身份验证,并为大多数身份验证服务实施类似的操作,从登录名传入已经接收的令牌:
I can enable App Service Authentication and implement something like this for most authentication services, passing in the already-received tokens from login:
task = Task.Run(async () => await client.LoginAsync(MobileServiceAuthenticationProvider.Facebook, AccessToken));
user = task.Result;
这对于MS,Facebook和Google身份验证是可以的,但LinkedIn或Apple的API中没有任何内容.
This is fine for MS, Facebook and Google authentication BUT there is nothing in the API for LinkedIn or Apple.
Apple认证要求并且如果其他提供者登录选项也可供用户使用,则Apple登录.
问题:如何保护Node.js中的Azure App Service接受我可以从客户端提供的应用程序ID和/或密码或令牌作为常量,以仅允许对该URL进行通用但有些安全的访问:
Question: How can I secure the Azure App Service in Node.js to accept an app ID and or password or token that I can supply from the client side as a constant to simply allow generic but somewhat secure access to this URL: https://mycompany.azurewebsites.net and NOT have this set with anonymous access? And NOT USE the limited App Service Authentication.
任何人都可以阐明这一点吗?这是该应用最终进展的主要障碍.
Can anyone please shed light on this? This is a major block in final progress with the app.
我确实遇到了这个问题,但是需要特定于Node.js和Azure App Service的东西. Azure移动服务,HttpClient,授权
I did come across this but need something Node.js AND Azure App Service specific. Azure Mobile Services, HttpClient, Authorization
谢谢
推荐答案
这应该很容易实现.
- 更新您的服务端,以实现所需的身份验证机制.
- 创建一个实现身份验证机制的DelegatingHandler.
- 按以下步骤重新创建连接创建者:
var client = new MobileServiceClient(url, new MyDelegatingHandler());
委派处理程序可能像这样简单:
A delegating handler might be as simple as this:
public class MyDelegatingHandler : DelegatingHandler
{
protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken token)
{
request.Headers.Add("X-Api-Key", "MyApiKey");
return base.SendAsync(request, token);
}
}
这只是使用API密钥向每个单个请求添加标头,然后您可以在服务器端检查该标头.对于Apple/LinkedIn/其他人,您可能希望以这种方式直接使用Authorization标头集成它们.基本上,您将授权标头存储在某处".在客户端代码中,完成身份验证后,您可以使用委托处理程序添加授权标头.在服务器端,您可以按常规方式针对ASP.NET或Express应用验证该授权标头.
This just adds a header to every single request with the API key, which you would then check on the server side. For Apple / LinkedIn / others, you might want to integrate those directly using an Authorization header in this way. Basically, you store the authorization header "somewhere" in your client-side code, after having done the auth, then you use a delegating handler to add the authorization header. On the server side, you can validate that authorization header in the normal way for an ASP.NET or Express app.
这篇关于如何在Xamarin Forms中保护MobileServiceClient的Azure App Service端点?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
