验证的ASP.NET Web API [英] Authenticating ASP.NET Web API

问题描述

我创建了一个新的ASP.NET Web API和东西都运作良好。我在点现在在哪里我要保护的API来的。

I've created a new ASP.NET Web API and things are working well. I'm at the point now where I want to secure the API.

我把[授权]属性我上面的基本控制器和它的正常工作，如果我想使ASP.NET应用程序本身的API调用。

I put the [Authorize] attribute above my base controller and it's working properly if I want to make API calls within the ASP.NET application itself.

不过，我想知道，什么是为希望让API调用和让过去的授权外部客户端的最佳做法？此外，牢记我有自定义验证逻辑。

However, I'm wondering, what's the best practice for an external client that wants to make API calls and get past the authorization? Also, keeping in mind I have custom authentication logic.

客户端应该如何送过来的凭据？在什么时候我处理这些凭据？

How should the client send over credentials? At what point do I process these credentials?

推荐答案

的我应该如何向客户端发送凭据？的

的默认位置发送认证信息，是的授权的头。您可以使用此为基本身份验证也为其他类型的身份验证（智威汤逊，承载，等等）。

The default location to send authentication info, is the authorization header. You can use this for basic authentication but also for other types of authentication (JWT, Bearer, etc.).

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

要添加，例如基本的身份验证头部你的要求，你可以使用下面的code客户端上：

To add, for example, a basic authentication header to your request you could use the following code on your client:

WebRequest request = (HttpWebRequest)WebRequest.Create("https://yoururl");
request.Headers.Add(HttpRequestHeader.Authorization, "Basic " + Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes("user:password")));

的在哪一点我处理这些凭据？的

我会写 DelegatingHandler ，并用它来解决你的'主体'。然后，您可以将其设置为 HttpContext.CurrentPrincipal 有它可用无论你需要它的要求范围之内。在 DelegatingHandler 你的控制器之前被称为可以下面的图片，这使得它非常适合认证逻辑中看到的。

I would write a DelegatingHandler and use it to resolve your 'principal'. You can then set it to the HttpContext.CurrentPrincipal to have it available wherever you need it within the scope of the request. The DelegatingHandler is called before your controllers as you can see in the image below, which makes it ideal for authentication logic.

我会做客户端上的相同（写 DelegatingHandler 或 ActionFilterAttribute ）上添加认证头默认位置。需要注意的是 DelegatingHandler 是HTTP管道的一部分， ActionFilterAttribute s时对应的MVC管道。

I would do the same on the client (write a DelegatingHandler or ActionFilterAttribute) to add the authentication header on a default location. Note that DelegatingHandlers are part of the HTTP pipeline and ActionFilterAttributes belong to the MVC pipeline.

最后但并非最不重要，我会建议不要写自己的自定义认证逻辑，但有一个关闭默认框架棒。这可以像使用通过HTTPS基本身份验证和复杂作为实施OAuth的那样容易。但是，从自己动手解决方案，我会躲得远远的。

Last but not least I would recommend not to write your own custom authentication logic but stick with one off the default frameworks. This can be as easy as using basic authentication over HTTPS and as complicated as implementing OAuth. But I would stay away from do it yourself solutions.

我不喜欢也邀请您来看看这个答案我给一个similair问题。

I did like to also invite you to have a look at this answer I gave to a similair question.

的注意：的的ASP.NET Web API是基于REST的，所以恕我直言，你不希望保留会话信息在所有

Note: ASP.NET Web Api is REST based, so imho you don't want to keep session information at all.

编辑：有关如何实现处理基本身份验证见A delegatinghandler一个例子：<一href=\"http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-message-handlers/\">basic使用消息处理程序asp.net网页API HTTP认证。

For an example on how to implement a delegatinghandler that handle basic authentication see: basic http authentication in asp.net web api using message handlers.

这篇关于验证的ASP.NET Web API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！