MVC和的WebAPI之间的身份验证(独立域/应用) [英] Authentication between mvc and webapi (Separate domains/Applications)
问题描述
即时寻找好的想法/资源/实现以下情形
im looking for good ideas/resources/implementations for the following scenario
一个MVC网站: http://mywebsite.com
重要 - 请注意单独的域/应用..
IMPORTANT -- Please notice the separate domains/Applications..
一个用户在该网站登录和数据是从通过JSONP / CORS
A user logs in at the website and data is fetched from the API via JSONP/CORS
显然,我不希望用户使用基本身份验证的WebAPI验证。但是,API也暴露到Android / IOS应用程序,所以我需要的基本身份验证
Obviously i dont want the user to authenticate on the webapi using basic authentication. But the API is also exposed to Android/IOS apps, so i need the basic auth
我想过从MVC网站返回一个记号,然后在现场的WebAPI写DelegatingHandler使用令牌进行身份验证,但我想一些投入,甚至可能是更好的解决方案。
I've thought about returning a token from the MVC site and then writing a DelegatingHandler at the webapi site to authenticate using that token, but i would like some inputs, or perhaps even better solutions
我做了一个pretty图只是为了occation:
I made a pretty diagram just for the occation:
推荐答案
虽然JSONP作品也可以考虑使用 CORS 的WebAPI实施的一些例子<一href=\"http://stackoverflow.com/questions/12732147/cors-with-webapi-for-xmlhtt$p$pquest\">here.
Although JSONP works also consider using CORS some examples of WebApi implementation here.
考虑下面为您的令牌标准(至少草案),而不是创建自己的。 JSON网络令牌(JWT)似乎是一个不错的方法规范这里包括格式,并确定所述加密或签名的方法。有库来支持这种令牌如 Thinkteckture身份型号 <一个href=\"http://leastprivilege.com/2012/05/25/json-web-token-jwt-support-in-thinktecture-identitymodel/\">this文章介绍一些图书馆和智威汤逊的用法。谷歌有一个良好的开发指南这里。
Consider following a standard (at least a draft) for your token rather than creating your own. Json Web Token (JWT) seem to be a good approach the specification here includes the format and determines the encryption or signing approach. There are libraries to support this kind of token such as the Thinkteckture Identity Model this article covers some of the usage of that library and the JWT. Google have a good dev guide here.
免责条款,只考虑上述已经阅读一些OAuth的和智威汤逊标准化的批评的。
Disclaimer, only consider the above having read about some of the OAuth and JWT standardization criticisms.
如果您是使用HTTP头,我不知道您需要自定义标题 (@Vipul)授权:头是有这样的信息。
If you did use a HTTP header, I am not sure you need a custom header (@Vipul) the "Authorization :" header is there for this kind of information.
如果您使用的是自定义的令牌,确保有一个截止日期,如果你要考虑使用现时防止重放攻击和签名或使用了著名的算法进行加密。
If you are using a custom token, ensure it has an expiration date, consider using a nonce if you want to protect against replay attacks and sign or encrypt using a well known algorithm.
同意你的delegating处理器是把令牌验证的好地方。一个ActionFilter得多名为<一个href=\"http://blogs.msdn.com/b/kiranchalla/archive/2012/05/06/asp-net-mvc4-web-api-stack-diagram-currently-in-development.aspx\">later超过必要在堆栈和中间地带是实施<一个href=\"http://www.$c$cproject.com/Tips/376810/ASP-NET-WEB-API-Custom-Authorize-and-Exception-Han\">System.Web.Http.AuthorizeAttribute.
Agree with you that delegating handler is a good place to put token validation. An ActionFilter is called much later than necessary in the stack and the middle ground would be to implement System.Web.Http.AuthorizeAttribute.
这篇关于MVC和的WebAPI之间的身份验证(独立域/应用)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
