mvc和webapi之间的身份验证（单独的域/应用程序） [英] Authentication between mvc and webapi (Separate domains/Applications)

问题描述

MVC网站一些WebApi实现示例此处。

考虑遵循一个标准（至少一个草稿）为您的令牌，而不是创建自己的。 Json Web Token（JWT）似乎是一个很好的方法，这里包括格式并确定加密或签名方法。有支持此类令牌的库，例如 Thinkteckture身份模型 本文涵盖了该库和JWT的一些用法。 Google有一个很好的开发指南此处。

免责声明，只需考虑以上阅读了有关OAuth和JWT标准化的一些批评。

如果您使用了HTTP标头，我不确定您需要一个自定义头（@Vipul）Authorization：头是这种信息的。

如果你使用自定义令牌，确保其有到期日期，如果您想要防止重放攻击和签名或加密，请考虑使用随机数使用公知的算法。

同意你，委托处理程序是放置令牌验证的好地方。 ActionFilter被调用很多晚于堆栈中的必要，而中间点将是实现 System.Web.Http.AuthorizeAttribute 。

im looking for good ideas/resources/implementations for the following scenario

A MVC website at http://mywebsite.com

A Webapi REST service at http://myapi.com

IMPORTANT -- Please notice the separate domains/Applications..

A user logs in at the website and data is fetched from the API via JSONP/CORS

Obviously i dont want the user to authenticate on the webapi using basic authentication. But the API is also exposed to Android/IOS apps, so i need the basic auth

I've thought about returning a token from the MVC site and then writing a DelegatingHandler at the webapi site to authenticate using that token, but i would like some inputs, or perhaps even better solutions

I made a pretty diagram just for the occation:

解决方案

Although JSONP works also consider using CORS some examples of WebApi implementation here.

Consider following a standard (at least a draft) for your token rather than creating your own. Json Web Token (JWT) seem to be a good approach the specification here includes the format and determines the encryption or signing approach. There are libraries to support this kind of token such as the Thinkteckture Identity Model this article covers some of the usage of that library and the JWT. Google have a good dev guide here.

Disclaimer, only consider the above having read about some of the OAuth and JWT standardization criticisms.

If you did use a HTTP header, I am not sure you need a custom header (@Vipul) the "Authorization :" header is there for this kind of information.

If you are using a custom token, ensure it has an expiration date, consider using a nonce if you want to protect against replay attacks and sign or encrypt using a well known algorithm.

Agree with you that delegating handler is a good place to put token validation. An ActionFilter is called much later than necessary in the stack and the middle ground would be to implement System.Web.Http.AuthorizeAttribute.

这篇关于mvc和webapi之间的身份验证（单独的域/应用程序）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！