Active Directory 帐户的 Oauth 2 令牌 [英] Oauth 2 token for Active Directory accounts

问题描述

我过去曾使用 Owin 在我的 Mvc Web Api 项目中创建令牌端点，以提供带有资源所有者密码凭据"授权类型，其中访问令牌提供者将检查数据库用户表以验证移动客户端(使用 Visual Studio 工具为 Cordova 开发的多平台应用程序)提供的凭据的有效性.

I have used Owin in the past to create a token endpoint in my Mvc Web Api projects to provide oauth 2.0 tokens with "Resource Owner Password Credentials" grant type where access token provider would check a database user table to verify the validity of the credentials supplied by the mobile client (multiplatform App developed with Visual studio tool for Cordova).

在此项目中，Web Api 将由 Active Directory Windows 域帐户使用的多平台移动应用程序使用

In this project, the Web Api will be consumed by a multiplatform Mobile app used by Active Directory Windows domain accounts

我想使用 Owin Oauth 2.0 向这些用户授予访问令牌，但我不知道如何检查这些凭据的有效性.

I would like to use Owin Oauth 2.0 to grant an Access Token to these users but I don't know how to check the validity of these credentials.

我的想法是将 /token 端点放在 basic authentication" 后面，并在访问令牌提供程序的代码中从身份获取用户，如果是经过身份验证的使用，应该由Asp.net管道自动创建.

What I was thinking is to put the /token endpoint behind "basic authentication" and in the code of the Access Token Provider get the user from the Identity that, in case of authenticated used, should be automatically created by the Asp.net pipeline.

有什么可行的方法吗?

您知道将 Oauth 2.0 用于 AD Windows 帐户的更好主意吗?

Do you know any better idea to use Oauth 2.0 for AD Windows Accounts?

注意:

我也在调查 Active Directory 是否能够自己提供 Oauth 2.0 端点.

I'm also investigating if Active Directory is able to provide an Oauth 2.0 endpoint by itself.

推荐答案

这里有一个很好的演练，介绍了如何使用 Active Directory 联合服务来获取 OAuth2 令牌.https://technet.microsoft.com/en-us/library/dn633593.aspx.您必须点击底部的所有链接才能获得完整的演练.

Here is a pretty good walkthrough of how to use Active Directory Federation Services to obtain an OAuth2 token. https://technet.microsoft.com/en-us/library/dn633593.aspx. You'll have to follow all the links at the bottom to get the entire walkthrough.

请注意，它指的是使用 适用于 .NET 的 Windows Azure AD 身份验证库.但根据该文档，该库同时用于 Azure Active Directory 和本地 Active Directory.

Note that it refers to using Windows Azure AD Authentication Library for .NET. But according to that documentation, that library is used for both Azure Active Directory and on premises Active Directory.

至于工作流程，一旦通过身份验证，您将能够获得一个不记名令牌并将其呈现给您的 WebAPI.然后，您的 WebAPI 会验证令牌的签名以确保它是由 AD FS 颁发的，检查令牌是否仍然有效且尚未过期，并且可能还会验证令牌中的其他声明.此时，客户端要么被授权，他们请求的信息在响应中发送，要么他们未经授权，不会发送任何数据."- https://technet.microsoft.com/en-us/library/dn633593.aspx

As for the workflow, once authenticated you'll be able to obtain and present a bearer token to your WebAPI. Your WebAPI then "validates the signature of the token to ensure it was issued by AD FS, checks to see if the token is still valid and hasn’t expired and may possibly also validate other claims in the token. At this point, the client is either authorized and the information they requested is sent in the response or they are unauthorized and no data will be sent." - https://technet.microsoft.com/en-us/library/dn633593.aspx

这篇关于Active Directory 帐户的 Oauth 2 令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！