如何保护使用ASP.NET MVC 5 6在Web API [英] How to protect a Web API using ASP.NET 5 MVC 6

问题描述

我有一个很好的ASP.NET 5/6 MVC应用程序启动和运行。基本上用于此目的，这只是正常的示例应用程序你当你开始一个新项目，以保持它的简单。到目前为止，我可以：

I have a nice ASP.NET 5 / MVC 6 app up and running. Essentially for this purpose it is just the normal sample app you get when you start a new project to keep it simple. So far I can:

• 注册用户


• 登录


• 注销


• 保护页面（强制登录等）

现在，我想是要提供一个应用程序的API机制，登录并获得认证令牌。特别是我使用的角/科尔多瓦工作在两个移动应用与测试，一个又一个使用Xamarin。

Now, what I would like is to provide an API mechanism for a app to login and get an authentication token. Specifically I am working on two mobile apps to test with, one using Angular / Cordova and one using Xamarin.

我看过高，低，我似乎无法找到一个例子还演示了如何使这项工作。我觉得到目前为止，每个示例假设用户将通过正常的网页表单/后周期登录，然后被带到加载角一个页面，该身份验证令牌已经在浏览器中。

I have looked high and low and I cannot seem to find an example yet that shows how to make this work. Every example I find so far assumes the user will login via the normal web form / post cycle and then be taken to a page that loads Angular and this the authentication token is already in the browser.

从MVC的控制器AccountController.cs文件中的相关code如下。我最终要的是等效的功能，但是从纯粹的API调用，使角/ Xamarin将它发送用户名/密码，并取回一个身份验证令牌或失败。

The relevant code from the AccountController.cs file for the MVC controller is below. What I ultimately want is the equivalent functionality but from a pure API call that allows Angular / Xamarin to send it a username / password and get back a authentication token or failure.

    // POST: /Account/Login
    [HttpPost]
    [AllowAnonymous]
    [ValidateAntiForgeryToken]
    public async Task<IActionResult> Login(LoginViewModel model, string returnUrl = null)
    {
        ViewBag.ReturnUrl = returnUrl;
        if (ModelState.IsValid)
        {
            // This doesn't count login failures towards account lockout
            // To enable password failures to trigger account lockout, set shouldLockout: true
            var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: false);
            if (result.Succeeded)
            {
                return RedirectToLocal(returnUrl);
            }
            if (result.RequiresTwoFactor)
            {
                return RedirectToAction("SendCode", new { ReturnUrl = returnUrl, RememberMe = model.RememberMe });
            }
            if (result.IsLockedOut)
            {
                return View("Lockout");
            }
            else
            {
                ModelState.AddModelError(string.Empty, "Invalid login attempt.");
                return View(model);
            }
        }

        // If we got this far, something failed, redisplay form
        return View(model);
    }

什么是使用以保护Web API的推荐方式ASP.NET MVC 6？

What is the recommended way to protect a Web API using ASP.NET MVC 6?

推荐答案

我觉得为确保WebApi2推荐的方法是通过一个授权服务器。该授权服务器负责生成令牌。但基于这，那就是Katana3的一部分已经从下跌的基础的OAuth2授权服务器Asp.Net 5.

I think the recommended approach for securing WebApi2 is through an Authorisation Server. The Authorisation Server takes care of generating tokens. But based on this, the OAuth2 based authorization server that is part of Katana3 has been dropped from Asp.Net 5.

我假设你的应用程序是不是活的应用程序还没有，因为这两个ASP.NET 5和6 MVC不在他们的最终版本尚未阶段。所以，如果你有好的改变你的身份/认证过程中，你可以使用Thinktecture的 IdentityServer3 。

I assume your app is not a live app yet, since both ASP.NET 5 and MVC 6 are not in their final release stage yet. So if you are okay to change your identity/authentication process, you could use Thinktecture's IdentityServer3.

多米尼克·拜尔曾在博客关于<一个href=\"http://leastprivilege.com/2015/07/22/the-state-of-security-in-asp-net-5-and-mvc-6-oauth-2-0-openid-connect-and-identityserver/\"相对=nofollow>安全性对ASP.NET 5和6 MVC ，并在那里IdSvr3到图片的国家。该博客有一个链接到Github上库样品API控制器，​​也是一个API客户端。它也有一个MVC的Web应用程序样本。 ，它可以与Asp.Net身份工作。

Dominick Baier has blogged about the The State of Security on ASP.NET 5 and MVC 6 and where IdSvr3 comes into the picture. That blog has a link to a Github repository for sample API Controller, and also a API client. It also has sample for an MVC Web app. And it can work with Asp.Net Identity.

更新：

如果不适合你，你可以尝试 AspNet.Security.OpenIdConnect .Server 。请注意，它在Github上悬而未决的问题，所以你可以使用它遇到的问题。还要注意它的依赖，特别是 azureadwebstacknightly 的。

If that does not work for you, you could try AspNet.Security.OpenIdConnect.Server. Note that it has open issues on Github, so you may encounter problems using it. Note also its dependencies, particularly the azureadwebstacknightly.

请注意，ASP.NET 5和6 MVC可能是在一个稳定的beta版本，但他们还是在的测试版的版本。它仍然可以改变。

Please note that ASP.NET 5 and MVC 6 may be in a stable beta release, but they are still in beta release. It could still change.

另外，IdSvr3 2.0可以是在其最终版本，但它是由一个独立的小组开发的。它仅发布2个星期前，所以恕我直言，最喜欢的软件，可能会遇到的事情，可能会错过他们的测试。注意， ASP.NET小组，上周的啾啾了解 IdSvr3的（V2.0）的释放，所以会出现他们认可了。

Also, IdSvr3 v2.0 may be in its final release, but it is developed by a separate team. And it is only been released 2 weeks ago, so IMHO like most software, you can encounter things that may likely missed their tests. Note the ASP.NET Team, last week, tweeted about IdSvr3's (v2.0) release, so it appears they are endorsing it.

这篇关于如何保护使用ASP.NET MVC 5 6在Web API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！