什么被认为是“最佳实践"?用于 WPF 和 WCF 应用程序的用户身份验证/授权? [英] What is considered "best practice" for user authentication/authorization for WPF and WCF applications?

问题描述

假设我有一个 .NET 富客户端 (WPF) 应用程序，它将同时部署在 3 个不同的场景中:

Say I have a .NET rich client (WPF) application that will be deployed in 3 different scenarios simultaneously:

1. 客户和服务器代码在单个进程中运行
2. 客户端代码在 Intranet 计算机上运行，​​并通过 WCF 与运行应用/域/基础架构代码的服务器计算机通信
3. 与#2 相同，但客户端可以在防火墙之外的机器上运行.自定义用户列表 &角色应集中维护(即凭据不基于 Windows 登录)

为此应用程序实施相同的用户授权/身份验证模型的简单、经过验证的做法是什么?即，无论应用程序如何部署，我都想在我的表示层、应用程序层、域层等中使用相同的方法.

What is a simple, proven practice for implementing the same user authorization/authentication model for this application? I.e., I want to use the same approach in my presentation layer, application layer, domain layer, etc, regardless of how the application is deployed.

是否应该通过我现有的实体框架模型在我的 SQL 数据库中明确维护用户/角色?Thread.CurrentPrincipal 应该是需要授权某些应用功能的代码所使用的方法，还是应该对某些 IUserService 进行依赖注入?

Should users/roles be explicitly maintained in my SQL database via my existing Entity Framework model? Should Thread.CurrentPrincipal be the approach used by code that needs to authorize certain app features, or should some IUserService be dependency-injected?

这是一个低调的应用程序，因此安全性不是至关重要的——只是一些基本的东西.

This is a low-profile application so security is not of critical importance -- just something basic.

谢谢

在花费数小时研究 WIF/基于声明的身份验证后，我仍然没有看到有关如何创建采用此类安全性的独立 .NET 桌面应用程序的任何指导.所有讨论都针对 ASP.NET 或 WCF.我需要我的应用程序使用可用于分布式 (WCF) 和独立部署方案的标准方法

After spending hours researching WIF / claims-based authentication, I still don't see any guidance on how to create a stand-alone .NET desktop application that employs this type of security. All discussions are geared to either ASP.NET or WCF. I need my application to use a standard approach that can be used in both distributed (WCF) and stand-alone deployment scenarios

推荐答案

看看这个.我想这就是你要找的:

Take a look at this.I presume it's what you're looking for:

https://gist.github.com/stonetip/8745656

var tokenHandler = new JwtSecurityTokenHandler();

        var convertedSecret = EncodeSigningToken(ConfigurationManager.AppSettings["ClientSecret"]);

        // Set the expected properties of the JWT token in the TokenValidationParameters
        var validationParameters = new TokenValidationParameters()
        {
            AllowedAudience = ConfigurationManager.AppSettings["AllowedAudience"],
            ValidIssuer = ConfigurationManager.AppSettings["Issuer"],
            SigningToken = new BinarySecretSecurityToken(convertedSecret)
        };

        Thread.CurrentPrincipal = tokenHandler.ValidateToken(token, validationParameters);

        if (HttpContext.Current != null)
        {
            HttpContext.Current.User = Thread.CurrentPrincipal;
        }

这篇关于什么被认为是“最佳实践"?用于 WPF 和 WCF 应用程序的用户身份验证/授权?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！