Asp.net web api 用于多个应用程序的OWIN身份验证服务器
我正在实现一个解决方案,该解决方案具有一个MVC客户机(让我们在localhost:4077/处调用此客户机)和一个WebAPI服务(在localhost:4078/处调用API) 我已经在API中实现了OWIN OAuth,但想知道是否可以在单独的解决方案中实现OWIN(让我们在localhost:4079/token上调用它AUTH)来为客户端生成令牌,然后客户端将其传递给API(作为承载授权令牌) 我质疑这一点的原因是,客户端可能会访问其他WebAPI服务,我希望在客户端和所有API服务之间使用OWIN 问题是,我不确定AUTH服务生成的令牌是否可以用于授权客户端和所有API服务上的所有请求Asp.net web api 用于多个应用程序的OWIN身份验证服务器,asp.net-web-api,oauth,asp.net-mvc-5,owin,Asp.net Web Api,Oauth,Asp.net Mvc 5,Owin,我正在实现一个解决方案,该解决方案具有一个MVC客户机(让我们在localhost:4077/处调用此客户机)和一个WebAPI服务(在localhost:4078/处调用API) 我已经在API中实现了OWIN OAuth,但想知道是否可以在单独的解决方案中实现OWIN(让我们在localhost:4079/token上调用它AUTH)来为客户端生成令牌,然后客户端将其传递给API(作为承载授权令牌) 我质疑这一点的原因是,客户端可能会访问其他WebAPI服务,我希望在客户端和所有API服务之
有人实施过类似的措施吗?如果有,你能举个例子吗,我对OWIN和OAUTH非常陌生,因此非常感谢您提供的任何帮助将授权服务器与资源服务器分离非常简单:如果您使用IIS,并且在两个应用程序/服务器上配置了相同的机器密钥,它甚至可以在没有任何额外代码的情况下工作 如果您需要选择访问令牌可以访问哪些端点,那么使用OWIN OAuth2服务器实现支持多个资源服务器就有点困难。如果您不关心这一点,只需使用相同的机器密钥配置所有资源服务器,就可以使用相同的令牌访问所有API 为了更好地控制可与访问令牌一起使用的端点,您应该查看
AspNet.Security.OpenIdConnect.ServerStartup.csapp.UseOpenIdConnectServer(new OpenIdConnectServerOptions
{
Provider = new AuthorizationProvider()
});
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
// AllowedAudiences MUST contain the absolute URL of your API.
AllowedAudiences = new[] { "http://localhost:11111/" },
// X509CertificateSecurityTokenProvider MUST be initialized with an issuer corresponding to the absolute URL of the authorization server.
IssuerSecurityTokenProviders = new[] { new X509CertificateSecurityTokenProvider("http://localhost:50000/", certificate) }
});
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
// AllowedAudiences MUST contain the absolute URL of your API.
AllowedAudiences = new[] { "http://localhost:22222/" },
// X509CertificateSecurityTokenProvider MUST be initialized with an issuer corresponding to the absolute URL of the authorization server.
IssuerSecurityTokenProviders = new[] { new X509CertificateSecurityTokenProvider("http://localhost:50000/", certificate) }
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
// Some essential parameters have been omitted for brevity.
// See https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/dev/samples/Mvc/Mvc.Client/Startup.cs for more information
// Authority MUST correspond to the absolute URL of the authorization server.
Authority = "http://localhost:50000/",
// Resource represents the different endpoints the
// access token should be issued for (values must be space-delimited).
// In this case, the access token will be requested for both APIs.
Resource = "http://localhost:11111/ http://localhost:22222/",
});
Startup.csapp.UseOpenIdConnectServer(new OpenIdConnectServerOptions
{
Provider = new AuthorizationProvider()
});
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
// AllowedAudiences MUST contain the absolute URL of your API.
AllowedAudiences = new[] { "http://localhost:11111/" },
// X509CertificateSecurityTokenProvider MUST be initialized with an issuer corresponding to the absolute URL of the authorization server.
IssuerSecurityTokenProviders = new[] { new X509CertificateSecurityTokenProvider("http://localhost:50000/", certificate) }
});
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
// AllowedAudiences MUST contain the absolute URL of your API.
AllowedAudiences = new[] { "http://localhost:22222/" },
// X509CertificateSecurityTokenProvider MUST be initialized with an issuer corresponding to the absolute URL of the authorization server.
IssuerSecurityTokenProviders = new[] { new X509CertificateSecurityTokenProvider("http://localhost:50000/", certificate) }
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
// Some essential parameters have been omitted for brevity.
// See https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/dev/samples/Mvc/Mvc.Client/Startup.cs for more information
// Authority MUST correspond to the absolute URL of the authorization server.
Authority = "http://localhost:50000/",
// Resource represents the different endpoints the
// access token should be issued for (values must be space-delimited).
// In this case, the access token will be requested for both APIs.
Resource = "http://localhost:11111/ http://localhost:22222/",
});
Startup.csapp.UseOpenIdConnectServer(new OpenIdConnectServerOptions
{
Provider = new AuthorizationProvider()
});
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
// AllowedAudiences MUST contain the absolute URL of your API.
AllowedAudiences = new[] { "http://localhost:11111/" },
// X509CertificateSecurityTokenProvider MUST be initialized with an issuer corresponding to the absolute URL of the authorization server.
IssuerSecurityTokenProviders = new[] { new X509CertificateSecurityTokenProvider("http://localhost:50000/", certificate) }
});
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
// AllowedAudiences MUST contain the absolute URL of your API.
AllowedAudiences = new[] { "http://localhost:22222/" },
// X509CertificateSecurityTokenProvider MUST be initialized with an issuer corresponding to the absolute URL of the authorization server.
IssuerSecurityTokenProviders = new[] { new X509CertificateSecurityTokenProvider("http://localhost:50000/", certificate) }
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
// Some essential parameters have been omitted for brevity.
// See https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/dev/samples/Mvc/Mvc.Client/Startup.cs for more information
// Authority MUST correspond to the absolute URL of the authorization server.
Authority = "http://localhost:50000/",
// Resource represents the different endpoints the
// access token should be issued for (values must be space-delimited).
// In this case, the access token will be requested for both APIs.
Resource = "http://localhost:11111/ http://localhost:22222/",
});
它不使用多个资源服务器,但使用我提到的不同步骤进行调整应该不难。如果您需要帮助,请随时打电话给我。您看过了吗?谢谢,我尝试了这个,效果非常好,我还遇到了Taiseer Joudah()的一组文章,需要遵循第1部分的文章(我跳过了与我无关的角度步骤)并设法通过一个身份验证服务和两个WebAPI项目获得一个设置,该项目通过承载身份验证头数访问一个安全控制器!出于好奇,你更喜欢我建议的解决方案还是Taiseer Joudah的方法,即使用在Katana中构建的OAuth2授权服务器并进行一些调整?啊,伙计,你让我陷入困境了!我喜欢这两种方法,但如果我诚实的话,Taiseer Joudah的方法更容易实现,只需要为每个附加的WebAPI服务添加两行代码即可。如果您看到可以简化的部分,请毫不犹豫地ping我;)我意识到我的答案不够清楚:我更新了它,提到对所有API使用相同的访问令牌可以使用机器密钥实现。如果您想选择您的访问令牌将能够访问哪些端点(即,访问令牌可用于调用“API 1”,但不能调用“API 2”……或者如果您愿意,可同时调用两个端点),则我的回答的其余部分仍然适用。Taiseer Joudah的方法只支持第一种情况。