如何整合的OpenID到MVC4的Web API [英] How do I Integrate OpenID into MVC4 Web API

问题描述

我写使用，应该由多种客户端消耗MVC4一个Web API。我想使用OpenID的验证。

I am writing a Web API using MVC4 that should be consumed by multiple client types. I want to use the OpenID to authenticate.

我已经下载了DotNetOpenAuth的NuGet包，但到目前为止，所有的例子是一个客户端应用程序，而不是一个API。

I already have downloaded the DotNetOpenAuth NuGet package, but so far all of the examples are for a client app, rather than an API.

我的问题很简单。我想有客户端发送一个验证请求我的API。该API与OpenID提供商进行身份验证。该API然后将不惜一切需要以整个网络API调用使用[授权]标签。

My problem is simple. I want to have clients send an authentication request to my API. The API authenticates with an OpenID provider. The API then sets whatever it needs to in order to use the [Authorize] tags throughout the web api calls.

据我了解，在.NET应用程序，该FormsAuthentication.SetCookie可以被称为，但是这也为其他语言易于实现的解决方案？

I understand that in .NET applications, that the FormsAuthentication.SetCookie could be called, but is this also an easy-to-implement solution for other languages?

在果壳中的问题。如何整合的OpenID到MVC4网络的API，允许使用的授权标签，可以由多个语言调用和消费？

The question in a nutshell. How do I integrate OpenID into an MVC4 web api that allows for the use of the Authorize tag that can be called and consumed by multiple languages?

推荐答案

您可能会混淆身份验证和授权的角色。这听起来像你的Web API的需求的两个的。

You may be confusing the roles of authentication and authorization. It sounds like your Web API needs both.

让我们先从授权。每个API（即，由浏览器以外的客户机应用程序访问的网页的URL）或者允许匿名访问或必须被授权（即，授权）。授权是的的OAuth 的的领域。 OAuth的（V2，presumably）描述了客户端如何授权给你的WebAPI的调用。

Let's start with authorization. Every API (that is, a web URL that is accessed by a client app other than a browser) either permits anonymous access or must be authorized (i.e. authorization). Authorization is OAuth's domain. OAuth (v2, presumably) describes how a client authorizes a call to your WebAPI.

presumably作为授权过程中，用户登录到您的服务的一部分。在用户登录的这一步的验证的。并正交于授权。无论您通过OpenID，用户名/密码，X.509证书等认证用户，应该是无关你的WebAPI呼叫的方式授权。换句话说，你的WebAPI方法不应该关心认证的用户如何（读：没有OpenID的关系等等）。他们必须是适用于他们的授权过滤器上验证传入的请求授权，并将其转化为信息的几件包括授权访问，访问级别，授权的ID帐户的用户名客户端等。

Presumably as part of the authorization process, a user logs into your service. This step of logging in the user is authentication. And it is orthogonal to authorization. Whether you authenticate the user via OpenID, username/password, X.509 cert, etc., should be irrelevant to how your WebAPI calls are authorized. In other words, your WebAPI methods shouldn't care how the user authenticated (read: no OpenID ties whatever). What they'll have is an authorization filter applied to them that verifies the authorization on an incoming request and translates it to a few pieces of information including the username of the account that authorized the access, the level of access, the id of the authorized client, etc.

因此​​，在一次一步，整个情况可能是这样的：

So a step at a time, the whole scenario might go something like this:

1. 运行第三方客户端应用程序的用户（假设为简单起见，该客户端应用程序是一个第三方的Web应用程序）要使用需要客户端访问用户的姓名您的WebAPI功能。


2. 客户端需要获得授权的用户的有限模拟作为客户端，使您的WebAPI调用。他们开始与一个OAuth 2重定向授权端点为您服务。如果这是使用DotNetOpenAuth实现，这可能使用WebServerClient类。


3. 您授权端点填补一个OAuth 2授权服务器的角色，正因为如此，使用DotNetOpenAuth的<一个href=\"http://docs.dotnetopenauth.net/v4.1/html/T_DotNetOpenAuth_OAuth2_AuthorizationServer.htm\">AuthorizationServer类。它做的第一件事是检查，看看是否有包含在请求一个ASP.NET窗体身份验证cookie。这个cookie是一种天然的指示，以用户是否登录到你的浏览器上的服务已经，如果是这样，则该用户是谁。检查这个cookie是一个简单的调用<一个href=\"http://msdn.microsoft.com/en-us/library/system.web.mvc.controller.user.aspx\">Controller.User.请注意，您的授权端点MVC，而不是因为的WebAPI的回应是浏览器/用户，而不是客户端应用程序。假设没有这样的饼干和 Controller.User 为空（或 User.Identity.IsAuthenticated 是假）。请参考如何实现这个端点OAuthAuthorizationServer样本。


4. 您授权端点重定向到用户登录页面，包括那些保留完整的传入的OAuth 2授权请求的URL查询字符串的redirectUrl 参数响应。


5. 您的用户登录页面是一个MVC端点作为一个OpenID依赖方。此端点使用DotNetOpenAuth的<一个href=\"http://docs.dotnetopenauth.net/v4.1/html/T_DotNetOpenAuth_OpenId_RelyingParty_OpenIdRelyingParty.htm\">OpenIdRelyingParty类。请注意，此端点一无所知的OAuth的2或授权的东西。它只是对用户进行验证。认证用户之后，它重定向回在的redirectUrl 参数的URL。请参阅OpenIdRelyingPartyMvc样本如何做到这一点。


6. 授权端点重复先前的步骤，但这次有一个FormsAuthentication饼干所以它继续显示一个页面给用户，询问他们是否要授权客户端访问用户的数据。用户单击是。 （注意：此用户授权页面上实施XSRF和点击劫持缓解）。


7. 授权端点处理用户的肯定响应，并呼吁 AuthorizationServer 以创建授权记录并返回到客户端的响应。此调用的结果是一个重定向响应，给它授权code客户端的制定工作。


8. 浏览器目前在拉动传递它授权code中的客户端应用程序的URL。然后，客户端使用 WebServerClient 类交换授权code访问令牌（通常刷新令牌以及）。


9. 的客户端应用程序现在将调用您的WebAPI直接的网址，包括它通过OAuth 2在HTTP授权头获得访问令牌。


10. 您的WebAPI填充的OAuth2资源服务器的角色，和授权筛选器属性应用到你的WebAPI的方法来验证传入的OAuth 2访问令牌使用DotNetOpenAuth <一个href=\"http://docs.dotnetopenauth.net/v4.1/html/T_DotNetOpenAuth_OAuth2_ResourceServer.htm\">ResourceServer课上做的工作。您可以参考OAuthResourceServer样品，甚至更好，大卫·克里斯蒂安森对如何做到这一点的WebAPI样品。

1. A user operating a 3rd party client app (let's assume for simplicity that this client app is a 3rd party web application) wants to use functionality that requires the client access your WebAPI in the user's name.
2. The client needs to obtain authorization for limited impersonation of the user as the client makes calls to your WebAPI. They start with an OAuth 2 redirect to the authorization endpoint at your service. If this is implemented using DotNetOpenAuth this could use the WebServerClient class.
3. Your authorization endpoint fills the role of an OAuth 2 Authorization Server, and as such, uses DotNetOpenAuth's AuthorizationServer class. The first thing it does is check to see if there is an ASP.NET forms authentication cookie included in the request. This cookie is a natural indication as to whether the user has logged into your service on their browser already, and if so, who that user is. Checking for this cookie is a simple call to Controller.User. Note that your authorization endpoint is MVC rather than WebAPI because its response is to the browser/user, not the client app. Let's assume there is no such cookie and Controller.User is null (or User.Identity.IsAuthenticated is false). Refer to the OAuthAuthorizationServer sample for how to implement this endpoint.
4. Your authorization endpoint responds with a redirect to the user login page, including a redirectUrl parameter in the query string that retains the full incoming OAuth 2 authorization request URL.
5. Your user login page is an MVC endpoint that acts as an OpenID Relying Party. This endpoint uses DotNetOpenAuth's OpenIdRelyingParty class. Note that this endpoint knows nothing of OAuth 2 or authorization stuff. It merely authenticates the user. After authenticating the user, it redirects back to the URL in the redirectUrl argument. Refer to the OpenIdRelyingPartyMvc sample for how to do this.
6. The authorization endpoint repeats its prior step, except this time there is a FormsAuthentication cookie so it proceeds to display a page to the user asking if they want to authorize the client to access the user's data. The user clicks yes. (beware: implement XSRF and clickjacking mitigations on this user authorization page).
7. The authorization endpoint processes the user's affirmative response and calls AuthorizationServer to create the authorization record and return the response to the client. One of the results of this call is the formulation of a redirect response to the client that gives it an authorization code.
8. The browser is now pulling at a URL of the client app that passes it the authorization code. The client then uses the WebServerClient class to exchange the authorization code for an access token (and usually a refresh token as well).
9. The client app now makes calls to your WebAPI URLs directly, including the access token it obtained via OAuth 2 in the HTTP Authorization header.
10. Your WebAPI fills the role of the OAuth2 Resource Server, and the authorize filter attribute you apply to your WebAPI methods to validate the incoming OAuth 2 access token uses the DotNetOpenAuth ResourceServer class to do its work. You can refer to the OAuthResourceServer sample, or even better, David Christiansen's WebAPI sample for how to do this.

这就是故事的全部。是的，客户端的作用是很容易，无论语言或图书馆，他们碰巧使用来写。

That's the whole story. And yes, the client role is easy to write regardless of language or library that they happen to be using.

顺便说一句，在DotNetOpenAuth样品我指的是不通过的NuGet分布。您从SourceForge 获得样品。

BTW, the DotNetOpenAuth samples I refer to are not distributed via NuGet. You get the samples from SourceForge.

这篇关于如何整合的OpenID到MVC4的Web API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！