ASP.NET的Web API验证选项 [英] ASP.NET Web API Authentication Options
问题描述
哪些选项可用于要由来自另一个域?
What options are available for authentication of an MVC3 Web API application that is to be consumed by a JQuery app from another domain?
下面是制约/事到目前为止,我已经试过: -
Here are the constraints/things I've tried so far:-
- 我不想使用OAuth;对于具有有限的用户群专用应用,我不能指望最终用户对现有的供应商自己的账户,并且没有范围,实现我自己
- 我有一个全功能的HMAC-SHA256 FPGA实现用头传递的数据就好了工作;但是,这并不在IE工作,因为在CORS IE8 / 9被打破,不允许您发送标题
- 我需要跨域的消费应用程序是在不同的域的API,但不能使用JSONP监守它不允许你使用头文件
- 我想避免一个令牌(只)为基础的方法,因为这是开放的,并重播由是违反REST状态
在这一点上,我辞职到使用URL或查询字符串/后提供的哈希和其他变量HMAC-SHA256的方法。
At this point I'm resigned to a HMAC-SHA256 approach that uses either the URL or querystring/post to supply the hash and other variables.
在URL中把这些变量似乎只是脏了,并且把它们放在查询字符串/后是一种痛苦。
Putting these variables in the URL just seems dirty, and putting them in the querystring/post is a pain.
我已成功使用jQuery $ .ajaxSetup beforeSend选项生成散列并将其连接到头部,但正如我所说,你不能用IE8 / 9。
I was succesfully using the JQuery $.ajaxSetup beforeSend option to generate the hash and attach it to the headers, but as I mentioned you can't use headers with IE8/9.
现在,我不得不求助于$阿贾克斯prefilter因为我不能改变beforeSend ajax的数据,而不能只在$ .ajaxSetup扩展数据,因为我需要动态计算的值基于Ajax查询的散列类型。
$阿贾克斯prefilter也是一个问题,因为没有添加这样的方式所需的变量没有干净/简单的方法就是方法无关...即它必须为查询字符串GET和FORMDATA为POST
Now I've had to resort to $.ajaxPrefilter because I can't change the ajax data in beforeSend, and can't just extend data in $.ajaxSetup because I need to dynamically calculate values for the hash based on the type of ajax query. $.ajaxPrefilter is also an issue because there is no clean/simple way to add the required variables in such a way that is method agnostic... i.e. it has to be querystring for GET and formdata for POST
我必须失去了一些东西,因为我无法找到一个解决方案: -
A)支持跨域
a)在对MVC和JQuery双方大规模的黑客攻击
C)居然安全
D)可以与IE8 / 9
I must be missing something because I just cannot find a solution that:- a) supports cross-domain a) not a massive hack on both the MVC and JQuery sides c) actually secure d) works with IE8/9
有具有的是有人在那里做正确此...
There has to be someone out there doing this properly...
修改
要澄清,在API端的认证机制是好的......不管我验证请求哪种方式我产生的GenericPrincipal并使用该API(这样做的优点是另一篇文章中,但它允许我使用的标准的授权机制,MVC,我preFER滚动我自己...少对其他开发人员对我的API来学习和维护)
To clarify, the authentication mechanism on the API side is fine... no matter which way I validate the request I generate a GenericPrincipal and use that in the API (the merits of this are for another post, but it does allow me to use the standard authorization mechanisms in MVC, which I prefer to rolling my own... less for other developers on my API to learn and maintain)
问题在于primarly中的认证信息从客户机传递到API: -
- 它不能依赖于服务器/ API的状态。所以我不能在一个调用通过用户名/密码,获得令牌回来,然后继续使用该令牌(开放重播攻击)
- 凡是需要使用请求头已经出来了,因为IE使用XDR,而不是像XHR浏览器的休息,它不支持自定义页眉(我知道IE10支持XHR,但实际上我需要IE8 +支持)
- 我想我卡生成HMAC,并通过它在某处的URL(路径或查询字符串),但这似乎是一个黑客,因为我使用的是不适合这个请求的部分
- 如果我使用的路径有很多乱七八糟的解析,因为至少我要传递一个用户名,时间戳和哈希与每个请求;这些都需要以某种方式界定,我有在url中的其余部分用于通过分隔符小控制
- 如果我使用的数据(查询字符串/ FORMDATA)我需要改变的地方,我会把我的身份验证信息取决于我使用(FORMDATA的POST / PUT /等,并为查询字符串GET)的方法,我也这些瓦尔polution应用层数据空间
The problem lies primarly in the transfer of authentication information from the client to the API:- - It can't rely on server/API state. So I can't pass username/password in one call, get a token back and then keep using that token (open to replay attack) - Anything that requires use of request headers is out, because IE uses XDR instead of XHR like the rest of the browsers, and it doesn't support custom headers (I know IE10 supports XHR, but realistically I need IE8+ support) - I think I'm stuck generating a HMAC and passing it in the URL somewhere (path or querystring) but this seems like a hack because I'm using parts of the request not designed for this - If I use the path there is a lot of messy parsing because at a minimum I have to pass a username, timestamp and hash with each request; these need to be delimited somehow and I have little control over delimiters being used in the rest of the url - If I use data (querystring/formdata) I need to change the place I'm sending my authentication details depending on the method I'm using (formdata for POST/PUT/etc and querystring for GET), and I'm also polution the application layer data space with these vars
由于糟糕,因为它是,查询字符串/ FORMDATA似乎是最好的选择;但是现在我有工作,如何捕捉到这些在每个请求。我可以使用的MessageHandler或过滤器,但也提供了一个convienient的方式来访问FORMDATA。
As bad as it is, the querystring/formdata seems the best option; however now I have to work out how to capture these on each request. I can use a MessageHandler or Filter, but neither provide a convienient way to access the formdata.
我知道我可以只写所有的分析和处理自己的东西(它看起来像我这样),但问题是我无法相信,有没有一个解决方案了。这就像我有(1)IE的支持,(2)安全(3)清洁code,我只能选两个。
I know I could just write all the parsing and handling stuff myself (and it looks like I will) but the point is I can't believe that there isn't a solution to this already. It's like I have (1) support for IE, (2) secure and (3) clean code, and I can only pick two.
推荐答案
您要求似乎有点没有道理给我。你永远不能在同一时间的一切,你必须愿意放弃的东西了。一对夫妇的言论:
Your requirements seem a little bit unjustified to me. You can't ever have everything at the same time, you have to be willing to give something up. A couple of remarks:
- 的OAuth似乎是你想要的这里,至少有一些修改。您可以使用Azure的访问控制服务,这样你就不必实现自己的令牌供应商。这样一来,你已经外包安全令牌提供者的实现。上次我检查的Azure ACS还是免费的。有很多混乱的,当你寻找ACS文档,因为人们大多用它来插入像Facebook或谷歌其他提供商,但你可以调整它只是为自己的服务令牌提供者。
- 您似乎非常担心重放攻击。重放攻击几乎总是一种可能性。我只听过导线上的数据并将其发送到服务器,即使是通过SSL。重放攻击,你需要处理的事情无关。通常我做的是跟踪来请求的高速缓存和散列签名添加到我的缓存。如果我看到在5分钟内用相同的哈希另一个请求,我忽略它。对于这项工作,我想补充请求的时间戳(毫秒粒度)和我的哈希参数的URL的某些衍生物。这允许每毫秒到来自同一客户端没有请求的同一地址一个操作被标示为重放攻击。
- 您提到的jQuery,如果你使用的是哈希方法,它让我为难了一下。这将意味着你确实有你的哈希算法,并在客户端上签名的逻辑。这是一个严重的缺陷,因为只是检查的JavaScript,我现在可以确切地知道如何签署请求,并将其发送到服务器。
这篇关于ASP.NET的Web API验证选项的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
