保护我的REST API使用OAuth，同时还允许通过第三方供应商的OAuth认证（使用DotNetOpenAuth） [英] Securing my REST API with OAuth while still allowing authentication via third party OAuth providers (using DotNetOpenAuth)

问题描述

我有一个简单的REST API产品，使产品的用户可以与产品的功能直接集成在不使用我的Web用户界面。

I have a product with a straightforward REST API so that users of the product can directly integrate with the product's features without using my web user interface.

最近，我已经越来越从不同的第三方的利益对他们的桌面客户端集成的API，允许我的产品的用户使用第三方应用程序来访问他们的数据。

Recently I have been getting interest from various third parties about integrating their desktop clients with the API to allow users of my product to access their data using that third party application.

我已经看到了希望使用使用由Twitter举办的登录页面，授予特定应用程序的权限访问该用户的数据验证的Twitter应用程序。单击允许或拒绝按钮，认证过程就完成了。 Facebook的使用相同的机制，尽我可以告诉。

I've seen that applications that want to use Twitter authenticate using a login page hosted by Twitter that grants a specific application permission to access that user's data. You click the "Allow" or "Deny" button and the authentication process is complete. Facebook uses the same mechanism as best I can tell.

在进一步的研究，这似乎是OAuth的行动，看到我的API是基于.NET的，我想我应该用DotNetOpenAuth，并提供了一​​个类似的机制。不幸的是，样品稀疏文件（如果有的话）和唯一的教程，我可以在网上找到似乎帮助您为您的用户登录机制，使他们可以登录到使用第三方提供您的网站被聚焦。

Upon further research, this seems to be OAuth in action, and seeing as my API is .Net-based, I am thinking I should use DotNetOpenAuth and provide a similar mechanism. Unfortunately the samples are sparsely documented (if at all) and the only tutorials I can find online seem to be focussed on helping you provide a login mechanism for your users so that they can log into your website using a third party provider.

我会的真正的喜欢做的是有我的REST API处理所有的核心身份验证和业务逻辑为我的web应用程序，并有，引擎盖下，我的web应用程序本质上是另一个应用程序只是使用通过OAuth的API。用户将在网​​站上进行身份验证直接使用他们的用户名和密码，或通过第三方供应商，如myOpenID来说或Facebook，然后网站会以某种方式使用返回的令牌对REST API进行身份验证。

What I would really like to do is have my REST API handle all of the core authentication and business logic for my web application and have, under the hood, my web application essentially be another application that just uses the API via OAuth. Users would authenticate on the website either directly using their username and password, or via a third party provider such as MyOpenID or Facebook and then the website would somehow use the returned token to authenticate against the REST API.

基本上，它看起来像我需要我的API以某种方式举办OAuth的服务，同时也让用户使用第三方的OAuth服务。我不禁想起我不太有足够的OAuth的把握来决定，如果我的事情过于复杂，或者如果我想要做的就是做的事情好坏的方法。

It basically looks like I need my API to somehow host an OAuth service, but also have users use a third party OAuth service. I can't help but think I don't quite have enough of a grasp on OAuth to decide if I'm overcomplicating things or if what I'm trying to do is a good or bad way to do things.

有人可以给我，至少我需要采取的步骤的全面概述，或者我应该是什么在实现这一目标？或者在一些教程，指向我？或急我的建议，并告诉我，我会对此（建筑）都错了？

Can someone give me at least a broad overview of the steps I need to undertake, or what I should look at to make this happen? Or point me at some tutorials? Or blast my proposal and tell me I'm going about this (architecturally) all wrong?

推荐答案

首先，我想强调的身份验证和授权的区别是：

First I'd like to emphasize the difference between authentication and authorization:

A 用户的通过提供一些凭证，如用户名+密码验证到您的网站。 OpenID的允许这种通过让用户的身份验证的其他服务，然后断言用户的身份代表用户的你的网站被取代。您的网站信任第三方服务（OpenID提供），因此认为登录的用户。

A user authenticates to your web site by supplying some credential such as a username+password. OpenID allows this to be displaced by having the user authenticate to another service, which then asserts the user's identity to your web site on the user's behalf. Your site trusts the third party service (the OpenID Provider) and therefore considers the user logged in.

一个的服务或应用的不验证你的网站 - 至少不是典型。用户的批准的服务或应用程序访问用户的数据。这通常是由服务提供者的应用程序请求授权完成，然后发送用户到服务提供商，其中用户首先进行认证（因此服务提供商知道它的聊天谁向），然后将用户说的网站是，它的确定为[应用]进入我的数据[以某种方式限制]。从那时起，该应用程序使用的授权令牌的访问服务提供商的网站上的用户数据。注意，应用程序不验证本身就好像它是用户，但它使用另一个code，以确保其被授权接入特定用户的数据的服务。

A service or application does not authenticate to your web site -- at least not typically. A user authorizes a service or application to access the user's data. This is typically done by the application requesting authorization of the service provider, then sending the user to the service provider, where the user first authenticates (so the service provider knows who its talking to) and then the user says to the site "yes, it's ok for [application] to access my data [in some restricted way]". From then on, the application uses an authorization token to access the user data on the service provider site. Note that the application does not authenticate itself as if it were the user, but it uses another code to assure the service that it is authorized to access a particular user's data.

因此​​，与这样的区分明确，你可以在你的网站有关身份验证和授权进行决策完全独立。举例来说，如果你希望你的用户能够与所有的登录：用户名+密码，OpenID的，和Facebook，你可以做到这一点。一个完全正交的决策是如何授权的应用程序（也有可以使用这个很多协议，当然是的OAuth颇为流行）。

So with that distinction clarified, you can make decisions on your site about authentication and authorization completely independently. For instance, if you want your users to be able to log in with all of: username+password, OpenID, and Facebook, you can do that. A completely orthogonal decision is how you authorize applications (there are many protocols you can use for this, OAuth of course being quite popular).

OpenID是专注于用户的验证的。 OAuth是专注于应用程序的授权的。然而，如Facebook和Twitter的一些服务，选择要用于身份验证的和的授权，而不是OAuth的使用OpenID进行身份验证和OAuth的授权。

OpenID is focused on user authentication. OAuth is focused on application authorization. However, a few services such as Facebook and Twitter have chosen to use OAuth for authentication and authorization instead of using OpenID for authentication and OAuth for authorization.

现在为自己的项目，我强烈建议你检查出的<一个href=\"http://visualstudiogallery.msdn.microsoft.com/en-us/81153747-70d7-477b-b85a-0374e7edabef\">ASP.NET MVC 2 OpenID的网站（C＃）可从VS图库项目模板。开箱即用它自带的OpenID认证的和的OAuth的服务提供商的支持。这意味着你的用户可以登录使用OpenID，和第三方应用程序和服务可以使用OAuth进行API调用到您的网站和访问用户数据。

Now for your own project, I strongly recommend you check out the ASP.NET MVC 2 OpenID web site (C#) project template available from the VS Gallery. Out of the box it comes with OpenID authentication and OAuth Service Provider support. This means your users can log in with OpenID, and 3rd party applications and services can use OAuth to make API calls to your web site and access user data.

这听起来像你想要添加到这个项目模板，一旦你去，是为您的用户使用用户名+密码以及OpenID的登录的能力。另外，如果你想Facebook和Twitter是为您的用户一个选项，你必须采取必要措施，以及因为它们不使用OpenID的标准。但DotNetOpenAuth下载包括​​与Twitter和Facebook登录，让你有一定的指导有样品。

What it sounds like you'd want to add to this project template once you get going is the ability for your users to log in with username+password as well as OpenID. Also, if you want Facebook and Twitter to be an option for your users you must implement that as well since they don't use the OpenID standard. But the DotNetOpenAuth download includes samples for logging in with Twitter and Facebook so you have some guidance there.

我怀疑你不会有太大的，如果什么关系上的授权前面。它配备了OAuth的正如我以前说过，这很可能将足以满​​足你。

I suspect you won't have much if anything to do on the authorization front. It comes with OAuth as I said before, and that will probably suffice for you.

这篇关于保护我的REST API使用OAuth，同时还允许通过第三方供应商的OAuth认证（使用DotNetOpenAuth）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！