AngularJS + ASP.NET Web API + ASP.NET MVC 身份验证 [英] AngularJS + ASP.NET Web API + ASP.NET MVC Authentication
问题描述
我是 AngularJS 的新手,正在尝试为我的新 Web 应用程序评估它.
I am new to AngularJS and trying to evaluate it for my new web application.
我将拥有一个 ASP.NET Web API,它也将从 Android、iPhone 和 Web 应用程序 (ASP.NET MVC) 使用.ASP.NET Identity 将在 Web API 中实现.三个应用都会调用Web API的login方法来获取auth token.
I will have one ASP.NET Web API which will be consumed from an Android, an iPhone and from a web application (ASP.NET MVC) too. ASP.NET Identity will be implemented in Web API. All three applications will call the login method of Web API to get the auth token.
我的问题是如何让 ASP.NET MVC 服务器端身份验证工作(与 Web API 同步,因此我不必单独登录 ASP.NET MVC)而 Angular 进行调用获取 HTML 模板/视图、JavaScript 文件或其他资源.我浏览了许多关于 AngularJS 的文章和博客,但仍然无法找到符合我要求的安全模型.
My problem is how to get ASP.NET MVC server side authentication work (in sync with Web API so I don't have to login for ASP.NET MVC separately) while Angular makes a call to get the HTML template/view, JavaScript files or other resources. I have went through many articles and blogs on AngularJS but still unable to find a security model which fits in my requirement.
直接向 ASP.NET MVC 应用程序而不是 Web API 进行登录调用是否是个好主意,ASP.NET MVC 应用程序将调用 Web API 进行登录,并且一旦通过身份验证,将 auth 令牌保存在会话中加上创建一个 FormsAuthentication cookie 并在 cookie 数据中保存加密的身份验证令牌.此外,在 HTML 中的某处设置 auth 令牌在 ng-init 中,以在 AngularJS 范围内拥有令牌.现在,当 AngularJS 尝试调用 ASP.NET MVC 应用程序以获取 HTML 时,然后通过将 cookie 解密数据与会话中的身份验证数据相匹配来对用户进行身份验证/授权.此外,AngularJS 将在标头中发送 auth 令牌以直接调用 Web API 方法,以便通过 Web API 进行数据操作的所有后续调用.
Would it be a good idea to make the login call to ASP.NET MVC application instead of Web API directly, and ASP.NET MVC application would call the Web API to login, and once authenticated, save the auth token in session plus create a FormsAuthentication cookie and in cookie data save the encrypted auth token. Moreover set the auth token in ng-init somewhere in HTML to have the token in AngularJS scope. Now when AngularJS tries to make a call to ASP.NET MVC application to get HTML, then authenticate/authorize the user by matching the cookie decryted data with auth data in session. Also, AngularJS will send the auth token in header to call the Web API methods directly for all the subsequent calls for data manipulation through Web API.
推荐答案
我用一个非常严格的解决方案解决了这个问题.我只是确保在 WebApiConfig 的 Register 方法中有以下两行代码:
I solved the problem with a very strait forward solution. I just made sure I have following two lines of code in the Register method of WebApiConfig:
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
就是这样.现在,我的 MVC 控制器查找会话 cookie 以进行授权,而我的 Web API 控制器查找每个请求标头中的身份验证令牌.此外,Web API 会发送令牌 (JSON) 和会话 cookie 本身以响应登录/身份验证请求,例如http:\\www.mydomain.com\token.
That's it. Now my MVC controllers look for the session cookie for authorization whereas my Web API controllers look for the auth token in the header of each request. Moreover, the Web API sends a token (JSON) and a session cookie itself in response to the login/authentication request e.g. http:\\www.mydomain.com\token.
所以现在我将我的登录请求发送到 Web API 以获取令牌以及会话 cookie.每个请求都会自动发送会话 cookie,所以我不必担心我的 MVC 控制器的授权.对于 Web API 调用,我会在每个请求的标头中发送身份验证令牌,因为 Web API 控制器不关心随请求发送的会话 cookie.
So now I send my login request to Web API to get the token as well as the session cookie. Session cookie will automatically be sent will each request so I don't have to worry about the authorization of my MVC controllers. For Web API calls I am sending the auth token in the header for each request as Web API controllers don't care about the session cookie being sent with the request.
这篇关于AngularJS + ASP.NET Web API + ASP.NET MVC 身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
