如何开始使用 OAuth 来保护 Web API 应用程序? [英] How to get started with OAuth to secure a Web API application?

问题描述

我有一个 Web API 应用程序，我知道 OAuth 将成为 API 的标准安全模型，其中身份验证服务器将负责生成授权令牌，以便用户可以发送到我们的服务器并使用这些服务.

I have a Web API application and I've understood OAuth would be the standard security model for APIs where an Authentication Server would become responsible to generate Authorization Tokens so that the user can send to our server and consume the services.

我对此很陌生，但我了解所涉及的角色:

I'm very new to this but I understand the roles involved:

• 资源所有者
• 客户
• 资源服务器
• 授权服务器

但实际上 OAuth 到底是什么，而不是理论上?它是 .NET 库吗?它是由单独的公司提供的服务吗?我可以在我的本地开发机器上配置它并查看它是如何工作的吗?

But what is OAuth exactly in practice, not in theory? Is it a .NET library? Is it a service provided by a separate Company? Is it something I can configure on my local development machine and see how it works?

如何开始使用 OAuth 来保护 Web API 应用程序?

How to get started with OAuth to secure a Web API application?

推荐答案

OAuth 是一种协议；当前版本是 OAuth 2.0.更多关于您的问题，该链接列出了该协议在各种技术中的几种实现.为了与 .NET Web API 一起使用，您可能对 DotNetOpenAuth 感兴趣，它提供了 OAuth 1 和OAuth 2.

OAuth is a protocol; the current version is OAuth 2.0. More to your question, that link lists several implementations of the protocol in various technologies. For use with the .NET Web API you're probably interested in DotNetOpenAuth which provides implementations of both OAuth 1 and OAuth 2.

我正在一个应用程序中使用 DotNetOpenAuth 来保护 .NET Web API.我有一个 OAuth2Handler 扩展 DelegatingHandler 在传入请求到达任何控制器之前插入到 Web API 管道中.OAuth2Handler 执行以下操作:

I'm using DotNetOpenAuth in an app I'm working on now to secure a .NET Web API. I've got an OAuth2Handler which extends DelegatingHandler which is inserted into the Web API pipeline before incoming requests reach any controllers. OAuth2Handler does the following:

1. 实例化一个 DotNetOpenAuth ResourceServer
2. 调用 ResourceServer.GetPrincipal() 读取和解密访问令牌(由 AuthorizationServer 在别处发出并返回一个OAuthPrincipal(就我而言，我正在阅读 DotNetOpenAuth 实现允许您传递的附加数据并创建一个 ClaimsPrincipal.)
3. 将包含从访问令牌读取的用户信息的 IPrincipal 分配给线程的 User 属性和当前的 HTTP 上下文，以便它可以从 ApiController.User 服务控制器中的属性:httpContext.User = Thread.CurrentPrincipal = principal;

1. Instantiates a DotNetOpenAuth ResourceServer
2. Calls ResourceServer.GetPrincipal() which reads and decrypts an access token (issued elsewhere by the AuthorizationServer and returns an OAuthPrincipal (In my case I'm reading additional data that the DotNetOpenAuth implementation allows you to pass and creating a ClaimsPrincipal.)
3. Assigning the IPrincipal containing the user information read from the access token to the User property of the thread and current HTTP context so it is available from the ApiController.User property in the service controllers: httpContext.User = Thread.CurrentPrincipal = principal;

老实说，让这一切正常工作(例如设置授权服务器、资源服务器、证书等)并非易事.不幸的是，DotNetOpenAuth 站点上似乎没有很好的指南.如果您走这条路线，您将面临以下其他一些任务:

Honestly, getting this all working (e.g. setting up the authorization server, resource server, certificates, etc.) isn't trivial. Unfortunately there didn't seem to be a good guide on the DotNetOpenAuth site. Here's a few other tasks you'll have ahead of you if you go this route:

• Implement IAuthorizationServer - 这是由DotNetOpenAuth 允许您插入库并使用他们发布 OAuth2 访问令牌的实现.您还需要实现 INonceStore 和 ICryptoKeyStore，我使用 EntityFramework 上下文进行存储.
• 配置证书 - AuthorizationServer 和 ResourceServer 各自使用证书来加密/解密访问令牌，确保它们只能相互访问.我构建了一些自定义配置我可以在授权服务器应用程序和 Web API 服务(资源服务器)的 web.config 文件中管理此配置.
• 管理刷新令牌 - 首次从授权服务器请求访问令牌时，您将返回(取决于您的配置)OAuth2 刷新令牌和访问令牌.这些服务使用应该是短暂的访问令牌.刷新令牌用于获取更多访问令牌.刷新令牌应保密(无论在您的场景中意味着什么).对我来说，这意味着刷新令牌永远不会暴露给我的网络应用程序中的客户端 javascript.

• Implement IAuthorizationServer - This is the interface provided by DotNetOpenAuth that allows you to plug in to the library and use their implementation to issue OAuth2 access tokens. You'll also need to implement INonceStore and ICryptoKeyStore which I did using an EntityFramework context for storage.
• Configure Certificates - The AuthorizationServer and ResourceServer each use certificates to encrypt/decrypt the access token ensuring they are only accessible to each other. I built some custom configuration so I could manage this configuration in the web.config files of my authorization server app and my Web API services (resource server).
• Manage Refresh Token - When first requesting an access token from the authorization server you'll get back (depending on your configuration) both an OAuth2 refresh token and an access token. The services use the access token which should be short-lived. The refresh token is used to get more access tokens. The refresh token should be kept secret (whatever that means in your scenario). For me it means the refresh token is never exposed to client-side javascript in my web app.

我希望这有助于让您对如何开始使用 OAuth 和 .NET Web API 有一个高层次的了解.这是 一篇博客文章展示了其中的一些步骤.这个答案 给出了图片客户端的一些更高级的细节.

I hope that helps give you a high level idea of how to get started with OAuth and .NET Web API. Here's a blog post demonstrating some of these steps. This SO answer gives a few more high level details of the client side of the picture.

(DotNetOpenAuth 在线文档现在似乎已关闭......抱歉没有链接到它们；显然它有 以前发生过).

(The DotNetOpenAuth online docs appear to be down right now... sorry for no links to them; Apparently it has happened before).

这篇关于如何开始使用 OAuth 来保护 Web API 应用程序?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！