是否有可能在一个Web API来使用外部身份提供程序与ASP.NET 5? [英] Is it possible to use an external Identity Provider in a Web API with ASP.NET 5?
问题描述
现在,有一点是我仍然不能确定这一切都是因为我真的不是在安全方面的专家,所以我对OAuth的知识不是很深刻。我的疑问是:?是否有可能使用外部身份提供者使用OAuth保护一条的RESTful API时
请注意,我的不可以说起添加社交登录一个的网站的,我说的是在一个REST风格的 API使用一个外部身份提供者
我的观点是,这让我有点糊涂了,但因为我一直以为这应该是我的应用程序的问题。
所以我的问题是在这里:使用OAuth和ASP.NET 5时,是可以使用外部身份提供者,不是实现一个其他的?如果可能的话,这是如何工作的短?我的意思是,我的应用程序仍然需要能够管理用户的身份,因为它需要管理要求等感。
在这种情况下,如果是真的有可能,如何流会是什么?外部身份提供者应发出令牌?但是,我的应用程序将如何能够验证这些令牌和管理用户身份?
编辑:一个我觉得不确定的原因是,当我们使用 UseOAuthAuthentication 扩展方法,我们设置一个回调路径其被描述为
,用户代理将返回该应用程序的基本路径内的请求路径。当它到达中间件将处理此请求。
现在,如果我们正在开发一个网站,那么这确实有一定道理。人去那里,点击一个按钮与Facebook提供商登录。用户被重定向到Facebook的页面,然后他在登录后,他被重定向到该站点的某些网页。
在另一方面,有一个RESTful API,这是毫无意义的。有没有被重定向的概念。
这使得它似乎是外部供应商的使用仅用于网站而不是基于REST的API。这是我的问题的重点。
解决方案
我的疑问是:是否有可能使用外部身份提供者使用OAuth保护一条的RESTful API时
?是的,这是绝对有可能。这正是当您使用的Azure Active Directory来保护您的API端点你做了什么:
app.UseOAuthBearerAuthentication(选项=> {
options.AutomaticAuthenticate = TRUE;
options.Authority =https://login.windows.net/tushartest.onmicrosoft.com;
options.Audience =https://TusharTest.onmicrosoft.com/TodoListService-ManualJwt;
});下一个合理的问题是:如果您可以使用AAD发出的令牌,以保护您的API,那么您为什么不能做同样的事情与Facebook或谷歌标记
与Facebook或谷歌,AAD问题的完全标准化的标记的名为智威汤逊标记的的OAuth2承载中间件可以读和验证,以确定该令牌是否仍然啥是真的发布了自己的API(即如果在观众附有标记对应你的API,你可以使用
资源控制这个价值使你的授权请求)时的参数。您不能做FB或谷歌标记类似的东西,因为他们是完全不透明的。其实,这不是真的令人惊讶,因为这些标记的目的只有一个:让您查询FB或谷歌的API,而不是你自己的人(这些社会提供商不允许设置访问令牌的观众)
由于无法读取自己的令牌,唯一的选择就是要求FB或谷歌是否还有效,以确保您的API不接受无效的令牌。这件事情,你可以(容易)做与Facebook为他们提供了一个象征性检查端点可以查询为:的 https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow (请参阅检查访问令牌的章节)。通过这种方式,可以确保令牌不会过期,并确定相应的令牌用户。
可悲的是,这种方法有两个缺点:
- 您必须做出额外的HTTP调用Facebook的端点验证访问令牌,这意味着缓存收到的令牌,以避免过多请求涌入的Facebook。
- 作为访问令牌没有为自己的API发布的您必须绝对确保访问令牌颁发给客户端应用程序,你完全信任或会允许任何第三方开发者使用他自己的FB /谷歌与您的API令牌,而无需请求用户的同意。这是 - 很明显 - 一个重大的安全问题
您可以在这最后一部分,所以回答(这对武士刀和有关Dropbox的,但你应该得到的想法)的更多信息:<一href=\"http://stackoverflow.com/questions/28487586/owin-oauth2-3rd-party-login-authentication-from-client-app-authorization-from/28488773#28488773\">OWIN/OAuth2第三方登录:从客户端应用程序,授权认证的网络API
所以我的问题是在这里:使用OAuth和ASP.NET 5时,是可以使用外部身份提供者,不是实现一个其他的?如果可能的话,这是如何工作的短?我的意思是,我的应用程序仍然需要能够管理用户的身份,因为它需要管理要求等感。
在这种情况下,如果是真的有可能,如何流会是什么?外部身份提供者应发出令牌?但是,我的应用程序将如何能够验证这些令牌和管理用户身份?
要解决在previous部分提到的限制,最好的选择是 - 因为你已经想通了 - 创建自己的授权/认证服务器。这样一来,你的API不(直接)接受FB或谷歌令牌而是通过自己的服务器发出的令牌,都不可能重定向用户到FB或谷歌进行身份验证。
这是<强>究竟这个样本做什么:的https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/tree/vNext/samples/Mvc
用户由客户端应用程序(Mvc.Client)邀请您的授权服务器(Mvc.Server)来验证,所以他可以得到一个访问令牌后查询API(也Mvc.Server)。为此,用户被重定向到授权服务器,这本身就为您提供与谷歌或Twitter进行身份验证。
在这个外部验证步骤完成后,用户被重定向回他的要求给他的客户端应用程序(Mvc.Client)来访问其个人资料的同意你的授权服务器(Mvc.Server)
在同意给予,用户被重定向回有访问权限的客户端应用程序令牌,您可以使用查询API端点。
Reading this question, @Pinpoint's answer and the further discussion on comments, I'm well aware that natively we can't add an identity provider to our apps developed with ASP.NET 5. One possible replacement for the legacy OAuthAuthorizationServerMiddleware is then provided by the AspNet.Security.OpenIdConnect.Server as I've found in many places.
Now, there is one point that I'm still unsure about all this because I'm really not an expert in security, so my knowledge about OAuth is not very deep. My doubt is the following: is it possible to use an external identity provider when using OAuth to protect one RESTful API?
Notice that I'm not talking about adding social login to one website, I'm talking about using one external identity provider in one RESTful API.
My point is, this makes me a little confused yet, because I always thought this should be a concern of my app.
So my question here is: when using OAuth and ASP.NET 5, is it possible to use an external identity provider, other than implementing one? If it is possible, how this works in short? I mean, my app still needs to be able to manage the identities of users, in the sense that it needs to manage claims and so on.
In that case, if it is really possible, how the flow would be? The external identity provider should issue the tokens? But how my app would be able to verify those tokens and manage users identities?
EDIT: One of the reasons I feel unsure about that is that when we use the
UseOAuthAuthenticationextension method, we set up one callback path which is described asThe request path within the application's base path where the user-agent will be returned. The middleware will process this request when it arrives.
Now, if we are developing a site, then this really does make sense. The person goes there, click a button to login with a provider like Facebook. The user is redirected to Facebook's page and then after he logs in, he is redirected to some page of the site.
On the other hand, with a RESTful API this is meaningless. There is no notion of being redirected.
This makes it seems that the usage of external providers is only for sites and not for RESTful API's. This is the main point of my question.
解决方案My doubt is the following: is it possible to use an external identity provider when using OAuth to protect one RESTful API?
Yes, it's definitely possible. This is exactly what you do when you use Azure Active Directory to protect your API endpoints:
app.UseOAuthBearerAuthentication(options => { options.AutomaticAuthenticate = true; options.Authority = "https://login.windows.net/tushartest.onmicrosoft.com"; options.Audience = "https://TusharTest.onmicrosoft.com/TodoListService-ManualJwt"; });
The next legitimate question is: if you can use the tokens issued by AAD to protect your API, why couldn't you do the same thing with Facebook or Google tokens?
Unlike Facebook or Google, AAD issues completely standardized tokens named JWT tokens that the OAuth2 bearer middleware can "read" and "verify" to determine whether the token is still valid and was really issued for your API (i.e if the audience attached with the token corresponds to your API. You can control this value using the
resourceparameter when making your authorization request).You can't do something similar with FB or Google tokens, since they are totally opaque. Actually, it's not really surprising since these tokens have only one objective: allowing you to query FB or Google APIs, not your own ones (these social providers don't allow to set the audience of the access token).
Since you can't read the token yourself, the only option is to ask FB or Google whether it is still valid to make sure your API doesn't accept invalid tokens. That's something you can (easily) do with Facebook as they offer a "token inspection endpoint" you can query for that: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow (see the Inspecting access tokens chapter). This way, you can ensure the token is not expired and determine the user corresponding to the token.
Sadly, this approach has two downsides:
- You have to make an extra HTTP call to the Facebook endpoint to validate the access token, which implies caching received tokens to avoid flooding Facebook with too many requests.
- As the access token is not issued for your own API, you MUST absolutely ensure that the access token was issued to a client application you fully trust, or it will allow any third party developer to use his own FB/Google tokens with your API without having to request user's consent. This is - obviously - a major security concern.
You can find more information in the last part of this SO answer (it's for Katana and about Dropbox, but you should get the idea): OWIN/OAuth2 3rd party login: Authentication from Client App, Authorization from Web API
So my question here is: when using OAuth and ASP.NET 5, is it possible to use an external identity provider, other than implementing one? If it is possible, how this works in short? I mean, my app still needs to be able to manage the identities of users, in the sense that it needs to manage claims and so on.
In that case, if it is really possible, how the flow would be? The external identity provider should issue the tokens? But how my app would be able to verify those tokens and manage users identities?
To work around the limitations mentioned in the previous part, the best option is - as you've already figured out - to create your own authorization/authentication server. This way, your API doesn't (directly) accept FB or Google tokens but the tokens issued by your own server, that can possibly redirect your users to FB or Google for authentication.
This is exactly what this sample does: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/tree/vNext/samples/Mvc
The user is invited by the client application (Mvc.Client) to authenticate with your authorization server (Mvc.Server) so he can get an access token to later query the API (also in Mvc.Server). For that, the user is redirected to your authorization server, which itself offers you to authenticate with Google or Twitter.
When this external authentication step is done, the user is redirected back to your authorization server (Mvc.Server), where he's asked to give his consent for the client app (Mvc.Client) to access his personal data.
When the consent is given, the user is redirected back to the client application with the access token you can use to query the API endpoint.
这篇关于是否有可能在一个Web API来使用外部身份提供程序与ASP.NET 5?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
