Asp.net mvc ADFS 2.0 Windows 2008 R2 Web API
我想制作一个与Web API应用程序对话的MVC Web应用程序,并使用ADFS 2.0(在Windows 2008 R2上)进行身份验证 我设法使MVC Web应用程序使用ADF进行身份验证 问:但我不知道如何将我的ADF2.0(在Windows2008R2上)从MVCWeb联合到WebAPI(假设它们部署在不同的服务器上) 我找到了很多关于如何使用WCF或Windows Server 2012 R2实现这一点的文章,但没有在Windows Server 2008 R2中使用Web API和ADFS 2.0Asp.net mvc ADFS 2.0 Windows 2008 R2 Web API,asp.net-mvc,asp.net-web-api,single-sign-on,windows-server-2008-r2,adfs,Asp.net Mvc,Asp.net Web Api,Single Sign On,Windows Server 2008 R2,Adfs,我想制作一个与Web API应用程序对话的MVC Web应用程序,并使用ADFS 2.0(在Windows 2008 R2上)进行身份验证 我设法使MVC Web应用程序使用ADF进行身份验证 问:但我不知道如何将我的ADF2.0(在Windows2008R2上)从MVCWeb联合到WebAPI(假设它们部署在不同的服务器上) 我找到了很多关于如何使用WCF或Windows Server 2012 R2实现这一点的文章,但没有在Windows Server 2008 R2中使用Web API和
编辑,最后我选择了(将我接收到的相同令牌传递到前端到后端(因为再次调用ADF没有意义) 前端->调用GetToken并输入授权头(我将其编码为base64) 后端->解析并验证令牌->
public ClaimsIdentity GetIdentityFromToken(string tokenBase64)
{
if (string.IsNullOrEmpty(tokenBase64))
return null;
byte[] tokenByteArray = Convert.FromBase64String(tokenBase64);
string decodedToken = Encoding.UTF8.GetString(tokenByteArray);
if (string.IsNullOrWhiteSpace(decodedToken))
return null;
try
{
var handlers = FederatedAuthentication.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers;
SecurityToken token;
using (StringReader stringReader = new StringReader(decodedToken))
{
using (XmlTextReader xmlReader = new XmlTextReader(stringReader))
{
token = handlers.ReadToken(xmlReader);
}
}
if (token == null)
return null;
return handlers.ValidateToken(token).FirstOrDefault();
}
catch (Exception e)
{
logger.Error(new AuthenticationException("Error validating the token from ADFS", e));
return null;
}
}
我通过将从Adfs收到的承载令牌传递到web api调用的授权头中,然后在web api项目中的Owin启动期间使用Microsoft.Owin.Security.Jwt nuget包将令牌转换为httpcontext当前标识来实现这一点 本例使用jwt令牌作为承载令牌。为要使用的令牌类型选择适当的NuGet包 在mvc控制器中构造WebRequest
BootstrapContext bc = ClaimsPrincipal.Current.Identities.First().BootstrapContext as BootstrapContext;
HttpWebRequest request = WebRequest.Create(ConfigurationManager.AppSettings["ApiUrl"]) as HttpWebRequest;
request.Method = "GET";
request.Headers["Authorization"] = "Bearer " + bc.Token;
在app.UseWebApi(配置)行之前的web api中的Owin Startup.cs文件中。
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { ConfigurationSettings.AppSettings["ida:Realm"] },
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(
ConfigurationSettings.AppSettings["ida:ValidIssuer"],
ConfigurationSettings.AppSettings["ida:SymmetricKey"])
},
Provider = new OAuthBearerAuthenticationProvider
{
OnValidateIdentity = context =>
{
return System.Threading.Tasks.Task.FromResult<object>(null);
}
}
});
app.UseJwtBearerAuthentication(
新的JWTBeareAuthenticationOptions
{
AuthenticationMode=AuthenticationMode.Active,
AllowedAudients=new[]{ConfigurationSettings.AppSettings[“ida:Realm”]},
IssuerSecurityTokenProviders=新的IIssuerSecurityTokenProvider[]
{
新的SymmetriceIsuerSecurityTokenProvider(
ConfigurationSettings.AppSettings[“ida:ValidisUser”],
ConfigurationSettings.AppSettings[“ida:SymmetricKey”])
},
Provider=新的OAuthBeareAuthenticationProvider
{
OnValidateIdentity=上下文=>
{
返回System.Threading.Tasks.Task.FromResult(空);
}
}
});
问题在于,您无法使ADFS 2008 R2发送JWT令牌,有时bc.token为空。如果您有兴趣,请查看我使用的解决方案的编辑
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { ConfigurationSettings.AppSettings["ida:Realm"] },
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(
ConfigurationSettings.AppSettings["ida:ValidIssuer"],
ConfigurationSettings.AppSettings["ida:SymmetricKey"])
},
Provider = new OAuthBearerAuthenticationProvider
{
OnValidateIdentity = context =>
{
return System.Threading.Tasks.Task.FromResult<object>(null);
}
}
});