本文介绍了如何开始使用OAuth的保护Web API应用程序?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个Web API应用,我已经理解的OAuth将是API的标准安全模型,其中认证服务器将成为负责生成授权令牌,以便用户可以发送到我们​​的服务器和消费服务。

I have a Web API application and I've understood OAuth would be the standard security model for APIs where an Authentication Server would become responsible to generate Authorization Tokens so that the user can send to our server and consume the services.

我很新的这一点,但我了解所涉及的角色:

I'm very new to this but I understand the roles involved:


  • 资源所有者

  • 客户端

  • 资源服务器

  • 授权服务器

但什么是OAuth的正是在实践中,而不是在理论?它是一个.NET库?它是由一个独立的公司提供的服务?有什么事情我可以在我的本地开发机器上配置,看看它是如何工作的?

But what is OAuth exactly in practice, not in theory? Is it a .NET library? Is it a service provided by a separate Company? Is it something I can configure on my local development machine and see how it works?

如何开始使用OAuth的保护Web API应用程序?

How to get started with OAuth to secure a Web API application?

推荐答案

OAuth是一个协议;目前的版本是。更多你的问题,该链接列出了各种技术协议的多种实现。使用.NET的Web API使用你在可能感兴趣它同时提供的OAuth 1和OAuth 2的实现。

OAuth is a protocol; the current version is OAuth 2.0. More to your question, that link lists several implementations of the protocol in various technologies. For use with the .NET Web API you're probably interested in DotNetOpenAuth which provides implementations of both OAuth 1 and OAuth 2.

我在一个应用程序中使用DotNetOpenAuth我现在正在争取到.NET的Web API。我有一个 OAuth2Handler 延伸<$c$c>DelegatingHandler之前传入请求到达任何控制器被插入到所述网页API管道。 OAuth2Handler 执行以下操作:

I'm using DotNetOpenAuth in an app I'm working on now to secure a .NET Web API. I've got an OAuth2Handler which extends DelegatingHandler which is inserted into the Web API pipeline before incoming requests reach any controllers. OAuth2Handler does the following:


  1. 实例化一个DotNetOpenAuth ResourceServer

  2. 呼叫 ResourceServer.GetPrincipal()其内容和解密的访问
    令牌(在其它地方发布的 AuthorizationServer 并返回
    OAuthPrincipal (在我来说,我读更多的数据,该DotNetOpenAuth实现允许你通过,并创建一个<$c$c>ClaimsPrincipal.)

  3. 指定包含从访问令牌的线程和当前的HTTP上下文的用户属性读取用户信息,因此,可以从<α的IPrincipal href=\"http://msdn.microsoft.com/en-us/library/system.web.http.apicontroller.user%28v=vs.108%29.aspx\"><$c$c>ApiController.User物业在服务控制器: HttpContext.User中= = Thread.CurrentPrincipal中校长;

  1. Instantiates a DotNetOpenAuth ResourceServer
  2. Calls ResourceServer.GetPrincipal() which reads and decrypts an accesstoken (issued elsewhere by the AuthorizationServer and returns anOAuthPrincipal (In my case I'm reading additional data that the DotNetOpenAuth implementation allows you to pass and creating a ClaimsPrincipal.)
  3. Assigning the IPrincipal containing the user information read from the access token to the User property of the thread and current HTTP context so it is available from the ApiController.User property in the service controllers: httpContext.User = Thread.CurrentPrincipal = principal;

老实说,这让所有的工作(例如设置授权服务器,资源服务器,证书等)是不平凡的。不幸的是,似乎没有要对DotNetOpenAuth网站一个很好的指导。下面是一些其他的任务,你必须在你前面,如果你走这条路线:

Honestly, getting this all working (e.g. setting up the authorization server, resource server, certificates, etc.) isn't trivial. Unfortunately there didn't seem to be a good guide on the DotNetOpenAuth site. Here's a few other tasks you'll have ahead of you if you go this route:


  • 实施 IAuthorizationServer - 这是所提供的接口
    DotNetOpenAuth,使您可以插入到图书馆和使用
    实施发行的OAuth2访问令牌。您还需要实施 INonceStore ICryptoKeyStore 我没有使用的存储环境的EntityFramework

  • 配置证书 - 在 AuthorizationServer ResourceServer 每次使用证书来加密/解密访问令牌确保他们只是互相访问。我建这样我就可以在管理这个配置一些展示其中的一些步骤。 This SO回答给出图像的客户端的一些更高层的信息。

    I hope that helps give you a high level idea of how to get started with OAuth and .NET Web API. Here's a blog post demonstrating some of these steps. This SO answer gives a few more high level details of the client side of the picture.

    (该DotNetOpenAuth在线文档似乎倒现在......没有任何链接,对不起他们,显然它有happened 之前)。

    (The DotNetOpenAuth online docs appear to be down right now... sorry for no links to them; Apparently it has happened before).

    这篇关于如何开始使用OAuth的保护Web API应用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-05 09:55