如何开始使用OAuth的保护Web API应用程序？ [英] How to get started with OAuth to secure a Web API application?

问题描述

我有一个Web API应用，我已经理解的OAuth将是API的标准安全模型，其中认证服务器将成为负责生成授权令牌，以便用户可以发送到我们​​的服务器和消费服务。

I have a Web API application and I've understood OAuth would be the standard security model for APIs where an Authentication Server would become responsible to generate Authorization Tokens so that the user can send to our server and consume the services.

我很新的这一点，但我了解所涉及的角色：

I'm very new to this but I understand the roles involved:

• 资源所有者


• 客户端


• 资源服务器


• 授权服务器

但什么是OAuth的正是在实践中，而不是在理论？它是一个.NET库？它是由一个独立的公司提供的服务？有什么事情我可以在我的本地开发机器上配置，看看它是如何工作的？

But what is OAuth exactly in practice, not in theory? Is it a .NET library? Is it a service provided by a separate Company? Is it something I can configure on my local development machine and see how it works?

如何开始使用OAuth的保护Web API应用程序？

How to get started with OAuth to secure a Web API application?

推荐答案

OAuth是一个协议;目前的版本是的OAuth 2.0 。更多你的问题，该链接列出了各种技术协议的多种实现。使用.NET的Web API使用你在可能感兴趣 DotNetOpenAuth 它同时提供的OAuth 1和OAuth 2的实现。

OAuth is a protocol; the current version is OAuth 2.0. More to your question, that link lists several implementations of the protocol in various technologies. For use with the .NET Web API you're probably interested in DotNetOpenAuth which provides implementations of both OAuth 1 and OAuth 2.

我在一个应用程序中使用DotNetOpenAuth我现在正在争取到.NET的Web API。我有一个 OAuth2Handler 延伸<一个href=\"http://msdn.microsoft.com/en-us/library/system.net.http.delegatinghandler.aspx\"><$c$c>DelegatingHandler之前传入请求到达任何控制器被插入到所述网页API管道。 OAuth2Handler 执行以下操作：

I'm using DotNetOpenAuth in an app I'm working on now to secure a .NET Web API. I've got an OAuth2Handler which extends DelegatingHandler which is inserted into the Web API pipeline before incoming requests reach any controllers. OAuth2Handler does the following:

1. 实例化一个DotNetOpenAuth ResourceServer


2. 呼叫 ResourceServer.GetPrincipal（）其内容和解密的访问
   令牌（在其它地方发布的 AuthorizationServer 并返回
   OAuthPrincipal （在我来说，我读更多的数据，该DotNetOpenAuth实现允许你通过，并创建一个<一个href=\"http://msdn.microsoft.com/en-us/library/system.security.claims.claimsprincipal.aspx\"><$c$c>ClaimsPrincipal.)


3. 指定包含从访问令牌的线程和当前的HTTP上下文的用户属性读取用户信息，因此，可以从<α的IPrincipal href=\"http://msdn.microsoft.com/en-us/library/system.web.http.apicontroller.user%28v=vs.108%29.aspx\"><$c$c>ApiController.User物业在服务控制器： HttpContext.User中= = Thread.CurrentPrincipal中校长;

1. Instantiates a DotNetOpenAuth ResourceServer
2. Calls ResourceServer.GetPrincipal() which reads and decrypts an access token (issued elsewhere by the AuthorizationServer and returns an OAuthPrincipal (In my case I'm reading additional data that the DotNetOpenAuth implementation allows you to pass and creating a ClaimsPrincipal.)
3. Assigning the IPrincipal containing the user information read from the access token to the User property of the thread and current HTTP context so it is available from the ApiController.User property in the service controllers: httpContext.User = Thread.CurrentPrincipal = principal;

老实说，这让所有的工作（例如设置授权服务器，资源服务器，证书等）是不平凡的。不幸的是，似乎没有要对DotNetOpenAuth网站一个很好的指导。下面是一些其他的任务，你必须在你前面，如果你走这条路线：

Honestly, getting this all working (e.g. setting up the authorization server, resource server, certificates, etc.) isn't trivial. Unfortunately there didn't seem to be a good guide on the DotNetOpenAuth site. Here's a few other tasks you'll have ahead of you if you go this route:

• 实施 IAuthorizationServer - 这是所提供的接口
  DotNetOpenAuth，使您可以插入到图书馆和使用
  实施发行的OAuth2访问令牌。您还需要实施 INonceStore 和 ICryptoKeyStore 我没有使用的存储环境的EntityFramework


• 配置证书 - 在 AuthorizationServer 和 ResourceServer 每次使用证书来加密/解密访问令牌确保他们只是互相访问。我建这样我就可以在管理这个配置一些自定义配置在的web.config 我的授权服务器应用程序的文件和我的Web API服务（资源服务器）。


• 管理刷新令牌 - 当第一次请求从授权服务器你会得到一个访问令牌（取决于您的配置）既有的OAuth2刷新令牌和一个访问令牌。该服务使用的应该是短暂的访问令牌。刷新令牌用于获得更多的访问令牌。刷新令牌应该保密的（无论是在方案中表示）。对我来说，这意味着刷新令牌不会暴露于客户端JavaScript在我的web应用程序。

• Implement IAuthorizationServer - This is the interface provided by DotNetOpenAuth that allows you to plug in to the library and use their implementation to issue OAuth2 access tokens. You'll also need to implement INonceStore and ICryptoKeyStore which I did using an EntityFramework context for storage.
• Configure Certificates - The AuthorizationServer and ResourceServer each use certificates to encrypt/decrypt the access token ensuring they are only accessible to each other. I built some custom configuration so I could manage this configuration in the web.config files of my authorization server app and my Web API services (resource server).
• Manage Refresh Token - When first requesting an access token from the authorization server you'll get back (depending on your configuration) both an OAuth2 refresh token and an access token. The services use the access token which should be short-lived. The refresh token is used to get more access tokens. The refresh token should be kept secret (whatever that means in your scenario). For me it means the refresh token is never exposed to client-side javascript in my web app.

我希望帮助给你如何获得通过OAuth和.NET Web API开始了一个高层次的想法。这里的<一个href=\"http://blogs.msdn.com/b/ukadc/archive/2012/05/24/claim-based-security-for-asp-net-web-apis-using-dotnetopenauth.aspx\">a博客帖子展示其中的一些步骤。 <一href=\"http://stackoverflow.com/questions/15286324/authenticate-client-side-app-to-rest-api-using-cors-with-local-strategy/16313669#16313669\">This SO回答给出图像的客户端的一些更高层的信息。

I hope that helps give you a high level idea of how to get started with OAuth and .NET Web API. Here's a blog post demonstrating some of these steps. This SO answer gives a few more high level details of the client side of the picture.

（该DotNetOpenAuth在线文档似乎倒现在......没有任何链接，对不起他们，显然它有<一个href=\"http://stackoverflow.com/questions/10733823/where-have-they-hidden-the-dotnetopenauth-api-documentation\">happened 之前）。

(The DotNetOpenAuth online docs appear to be down right now... sorry for no links to them; Apparently it has happened before).

这篇关于如何开始使用OAuth的保护Web API应用程序？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！