servicestack,Access Token" />
servicestack,access-token,.net,Oauth 2.0,.net ServiceStack中推荐的用于提供基于令牌的身份验证的实现模式是什么?
我有一组基于ServiceStack的服务,它们需要使用OAuth2相互验证。具体来说,这些服务将使用OAuth2客户端凭据流从外部身份验证服务检索引用令牌 ServiceStack与此流直接集成(也称为令牌身份验证),但我已经能够提供两种不同的实现,它们“适合”框架并与身份验证服务执行必要的身份验证握手 以下哪两种实现是推荐的,或者更确切地说,不被视为滥用ServiceStack的集成点 选项1:使用请求筛选器属性验证访问令牌.net ServiceStack中推荐的用于提供基于令牌的身份验证的实现模式是什么?,.net,oauth-2.0,
servicestack,access-token,.net,Oauth 2.0,
public class TokenAuthenticateAttribute : RequestFilterAttribute
{
public TokenAuthenticateAttribute(params string[] requiredScopes) { ... }
public override void Execute(IHttpRequest request, IHttpResponse response, object requestDto)
{
// 1. Obtain access token from request header; return 401 on syntax error.
// 2. Send token and scopes to authentication service for validation.
// 3. If invalid, return 401/403 accordingly.
}
}
public class Service
{
[TokenAuthenticate("read", "write", "admin")]
public ResponseType Post(RequestType request) { ... }
[TokenAuthenticate("read")]
public ResponseType Get(AnotherRequestType request) { ... }
}
// Requires registration in AppHost: base.PlugIns.Add(...)
public class TokenAuthProvider : AuthProvider
{
public TokenAuthProvider(params string[] requiredScopes) { ... }
public override object Authenticate(IServiceBase authService, IAuthSession session, Auth request)
{
// 1. Obtain client and secret from "request" (as username and password); return 401 accordingly
// 2. If authenticated, return access token, expiration, etc...
}
public override bool IsAuthorized(IAuthSession session, IOAuthTokens tokens, Auth request = null)
{
// 1. Obtain access token from request header (HttpContext.Current); return false syntax error.
// 2. Send token and scopes to authentication service for validation.
// 3. Return true/false (valid/invalid) accordingly.
}
}
public class Service
{
[Authenticate]
public ResponseType Post(RequestType request) { ... }
[Authenticate]
public ResponseType Get(AnotherRequestType request) { ... }
}
public class TokenAuthenticateAttribute : RequestFilterAttribute
{
public TokenAuthenticateAttribute(params string[] requiredScopes) { ... }
public override void Execute(IHttpRequest request, IHttpResponse response, object requestDto)
{
// 1. Obtain access token from request header; return 401 on syntax error.
// 2. Send token and scopes to authentication service for validation.
// 3. If invalid, return 401/403 accordingly.
}
}
public class Service
{
[TokenAuthenticate("read", "write", "admin")]
public ResponseType Post(RequestType request) { ... }
[TokenAuthenticate("read")]
public ResponseType Get(AnotherRequestType request) { ... }
}
// Requires registration in AppHost: base.PlugIns.Add(...)
public class TokenAuthProvider : AuthProvider
{
public TokenAuthProvider(params string[] requiredScopes) { ... }
public override object Authenticate(IServiceBase authService, IAuthSession session, Auth request)
{
// 1. Obtain client and secret from "request" (as username and password); return 401 accordingly
// 2. If authenticated, return access token, expiration, etc...
}
public override bool IsAuthorized(IAuthSession session, IOAuthTokens tokens, Auth request = null)
{
// 1. Obtain access token from request header (HttpContext.Current); return false syntax error.
// 2. Send token and scopes to authentication service for validation.
// 3. Return true/false (valid/invalid) accordingly.
}
}
public class Service
{
[Authenticate]
public ResponseType Post(RequestType request) { ... }
[Authenticate]
public ResponseType Get(AnotherRequestType request) { ... }
}
由于您没有使用ServiceStack的内置OAuth提供程序或后端UserAuth存储库,因此我倾向于使用选项1,因为它的移动部件最少,其中,基于令牌的身份验证本质上只是一个验证请求过滤器——这最终也是ServiceStack的幕后功能,尽管由于它与ServiceStack的AuthProvider模型集成,因此更加复杂 2之间的主要区别在于,由于ServiceStack不知道您的请求筛选器是身份验证验证器,因此您无法在元数据页面中获得身份验证密钥图标来指示哪些服务需要身份验证