blocks|key|3109827|text|有很多方法可以验证REST服务的用户。使用令牌是可能的，但只使用Basic+Authentication更简单，而且几乎是标准的和跨平台的。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|3109828|不要将authorization与authentication混淆。Authorize属性完全是关于授权的，但只有在使用其他机制对用户进行身份验证之后才能使用。如果不先做适当的身份验证，授权是完全无用的。|3109829|最好的参考资料是Dominick+Baier，他是这方面的专家。|3109830|entityMap|0|LINK|mutability|MUTABLE|url|http://en.wikipedia.org/wiki/Basic_access_authentication|1|http://en.wikipedia.org/wiki/Authorization|2|http://en.wikipedia.org/wiki/Authentication|3|http://leastprivilege.com/category/webapi/^0|W|K|0|0|3|D|1|H|E|2|0|8|E|3|0^^$0|@$1|2|3|4|5|6|7|V|8|@]|9|@$A|W|B|X|1|Y]]|C|$]]|$1|D|3|E|5|6|7|Z|8|@]|9|@$A|10|B|11|1|12]|$A|13|B|14|1|15]]|C|$]]|$1|F|3|G|5|6|7|16|8|@]|9|@$A|17|B|18|1|19]]|C|$]]|$1|H|3|-4|5|6|7|1A|8|@]|9|@]|C|$]]]|I|$J|$5|K|L|M|C|$N|O]]|P|$5|K|L|M|C|$N|Q]]|R|$5|K|L|M|C|$N|S]]|T|$5|K|L|M|C|$N|U]]]]

There are lots of ways to authenticate users for a REST service. Using tokens is possible but just using <a href="http://en.wikipedia.org/wiki/Basic_access_authentication">Basic Authentication</a> is even simpler and about as standard and cross platform as you can go.

Don't confuse <a href="http://en.wikipedia.org/wiki/Authorization">authorization</a> with <a href="http://en.wikipedia.org/wiki/Authentication">authentication</a>. The [Authorize] attribute is all about authorization but only after a user has been authenticated using some other mechanism. Authorization is completely useless without doing proper authentication first.

The best resource to check is <a href="http://leastprivilege.com/category/webapi/">Dominick Baier</a> who is an expert on the subject.

blocks|key|2895929|text|我认为令牌将是一个可靠的方法。表单身份验证基于web的cookies。不过，对于所有非浏览器客户端来说，这并不是最理想的情况。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2895930|我建议的是创建一个自定义的AuthorizationFilterAttribute并覆盖OnAuthorization方法。在该方法中，您可以检查在客户端提供有效凭据之后是否存在您向客户端发出的令牌。您可以在任何要验证的方法或控制器上使用此属性。这里有一个你可以参考的例子|2895931|+public+class+AuthorizeTokenAttribute+:+AuthorizationFilterAttribute+
{++++++
++++public+override+void+OnAuthorization(HttpActionContext+actionContext)
++++{
++++++++if+(actionContext+!=+null)
++++++++{++++++++++++++++
++++++++++++++++if+(!AuthorizeRequest(actionContext.ControllerContext.Request))
++++++++++++++++{
++++++++++++++++++++actionContext.Response+=+new+HttpResponseMessage(HttpStatusCode.Unauthorized)+{+RequestMessage+=+actionContext.ControllerContext.Request+};+
++++++++++++++++}
++++++++++++++++return;
++++++++}
++++}

++++private+bool+AuthorizeRequest(System.Net.Http.HttpRequestMessage+request)
++++{
++++++++bool+authorized+=+false;
++++++++if+(request.Headers.Contains(Constants.TOKEN_HEADER))
++++++++{+++++++++++++++
++++++++++++var+tokenValue+=+request.Headers.GetValues("TOKEN_HEADER");
++++++++++++if+(tokenValue.Count()+==+1)+{
++++++++++++++++var+value+=+tokenValue.FirstOrDefault();+++++++++++++++
+++++++++++++++//Token+validation+logic+here
+++++++++++++++//set+authorized+variable+accordingly
++++++++++++}++++++++++++++++
++++++++}
++++++++return+authorized;
++++}+}|code-block|syntax|javascript|2895932|TOKEN_HEADER只是一个字符串，表示客户端应该为经过身份验证的请求传回的HTTP头。|2895933|所以让我们走一遍|2895934|2895935|Client请求secure+data|ordered-list-item|2895936|Client未经授权，返回带有未授权状态代码的响应|2895937|+client发送凭据进行身份验证，身份验证应通过HTTPS|2895938|进行保护。客户端通过HTTP头接收令牌，或者您可以使用的任何方式。|2895939|客户端尝试再次请求安全数据，这次将令牌附加到请求|2895940|+AuthorizeTokenAttribute将验证令牌并允许执行操作。|2895941|2895942|另外，请查看这篇由John+Petersen撰写的文章。Making+your+ASP.NET+Web+API’s+secure|offset|length|2895943|entityMap|0|LINK|mutability|MUTABLE|url|http://codebetter.com/johnvpetersen/2012/04/02/making-your-asp-net-web-apis-secure/^0|0|0|0|0|0|0|0|0|0|0|0|0|0|S|10|0|0^^$0|@$1|2|3|4|5|6|7|1D|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|1E|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|1F|8|@]|9|@]|A|$G|H]]|$1|I|3|J|5|6|7|1G|8|@]|9|@]|A|$]]|$1|K|3|L|5|6|7|1H|8|@]|9|@]|A|$]]|$1|M|3|-4|5|6|7|1I|8|@]|9|@]|A|$]]|$1|N|3|O|5|P|7|1J|8|@]|9|@]|A|$]]|$1|Q|3|R|5|P|7|1K|8|@]|9|@]|A|$]]|$1|S|3|T|5|P|7|1L|8|@]|9|@]|A|$]]|$1|U|3|V|5|P|7|1M|8|@]|9|@]|A|$]]|$1|W|3|X|5|6|7|1N|8|@]|9|@]|A|$]]|$1|Y|3|Z|5|P|7|1O|8|@]|9|@]|A|$]]|$1|10|3|-4|5|6|7|1P|8|@]|9|@]|A|$]]|$1|11|3|12|5|6|7|1Q|8|@]|9|@$13|1R|14|1S|1|1T]]|A|$]]|$1|15|3|-4|5|6|7|1U|8|@]|9|@]|A|$]]]|16|$17|$5|18|19|1A|A|$1B|1C]]]]

I think tokens would be a solid way to go. Forms authentication is based on cookies for the web. Not the most idea situation for all non browser clients though. 

What I'd suggest is creating a custom AuthorizationFilterAttribute and overriding the OnAuthorization method. In that method, you could check for the existence of a token that you've issued to the client after they've supplied valid credentials. You can use this attribute on any method or controller you want validated. Here's a sample you might reference

<pre><code> public class AuthorizeTokenAttribute : AuthorizationFilterAttribute 
{ 
 public override void OnAuthorization(HttpActionContext actionContext)
 {
 if (actionContext != null)
 { 
 if (!AuthorizeRequest(actionContext.ControllerContext.Request))
 {
 actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized) { RequestMessage = actionContext.ControllerContext.Request }; 
 }
 return;
 }
 }

 private bool AuthorizeRequest(System.Net.Http.HttpRequestMessage request)
 {
 bool authorized = false;
 if (request.Headers.Contains(Constants.TOKEN_HEADER))
 { 
 var tokenValue = request.Headers.GetValues("TOKEN_HEADER");
 if (tokenValue.Count() == 1) {
 var value = tokenValue.FirstOrDefault(); 
 //Token validation logic here
 //set authorized variable accordingly
 } 
 }
 return authorized;
 } }
</code></pre>

TOKEN_HEADER is just a string representing an HTTP header that the client should pass back for authenticated requests.

So let's walk through it

<ol>
<li>Client requests secure data</li>
<li>Client is not authorized, return a response with an Unauthorized status code</li>
<li>Client sends credentials to authenticate, which should be secured via HTTPS</li>
<li>Once validated, client receives a token via an HTTP header, or whatever works for you</li>
<li>Client tries requesting secure data again, this time attached the token to the request</li>
<li>The AuthorizeTokenAttribute will validate the token and allow the action to execute.</li>
</ol>

Also, check this post by John Petersen. <a href="http://codebetter.com/johnvpetersen/2012/04/02/making-your-asp-net-web-apis-secure/" rel="noreferrer">Making your ASP.NET Web API’s secure</a>

blocks|key|3109941|text|我使用一个非常简单的方法：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|3109942|3109943|使用其唯一的accessId和accessKey+(例如，MD5散列GUID值)定义访问配置文件|ordered-list-item|3109944|将此类访问配置文件存储在数据库中|3109945|每个请求(GET/POST/等)必须提供accessId、queryHash+(MD5哈希值表示查询)和签名(+queryHash+%2BaccessKey的MD5哈希值)。当然，客户端需要将place!!!|3109946|server保存在安全的(authenticate)|3109947|further中，请求将检查accessKey和签名，使用相同的计算算法拒绝或授予访问配置文件授权可以根据请求类型使用访问配置文件|3109948|来完成|3109949|使用新的ASP.NET+MVC+web+API的这种方法的服务可以服务于任何类型的客户端:浏览器/javascript和本机(桌面或移动)等。|3109950|entityMap^0|0|0|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|T|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|U|8|@]|9|@]|A|$]]|$1|C|3|D|5|E|7|V|8|@]|9|@]|A|$]]|$1|F|3|G|5|E|7|W|8|@]|9|@]|A|$]]|$1|H|3|I|5|E|7|X|8|@]|9|@]|A|$]]|$1|J|3|K|5|E|7|Y|8|@]|9|@]|A|$]]|$1|L|3|M|5|E|7|Z|8|@]|9|@]|A|$]]|$1|N|3|O|5|6|7|10|8|@]|9|@]|A|$]]|$1|P|3|Q|5|6|7|11|8|@]|9|@]|A|$]]|$1|R|3|-4|5|6|7|12|8|@]|9|@]|A|$]]]|S|$]]

I use a very simple approach: 

<ol>
<li>define an access profile with its unique accessId and accessKey (e.g. MD5 hashed GUID value)</li>
<li>store such access profile in database</li>
<li>every request (GET/POST/etc.) must supply accessId, queryHash (MD5 hash value represents the query) and signature (MD5 hash value of queryHash + accessKey). Of course the client needs keep the accessKey in a secure place!!!</li>
<li>server gets the request will check the accessId and the signature using the same calculation algorithm to reject or grant the access (authenticate)</li>
<li>further authorization can be done on request type basis utilizing the access profile </li>
</ol>

the service with this approach using the new ASP.NET MVC web API can serve whatever type of client: browser/javascript and native(desktop or mobile) etc.

blocks|key|2896027|text|您可以使用ActionFilterAttribute并覆盖OnActionExecuting方法。稍后，在global.cs中注册此筛选器，以便将此筛选器应用于应用程序启动方法中的所有操作|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2896028|var配置=+GlobalConfiguration.Configuration；config.Filters.Add(新CustomAuthAttribute+())；|2896029|{命名空间自定义{公共类CustomAuthAttribute+:+ActionFilterAttribute|2896030|{

++++public+override+void+OnActionExecuting(HttpActionContext+actionContext)
++++{
++++++++//+To+inforce+HTTPS+if+desired+,+else+comment+out+the+code
++++++++if+(!String.Equals(actionContext.Request.RequestUri.Scheme,+"https",+StringComparison.OrdinalIgnoreCase))
++++++++{
++++++++++++actionContext.Response+=+new+HttpResponseMessage(System.Net.HttpStatusCode.BadRequest)
++++++++++++{
++++++++++++++++Content+=+new+StringContent("HTTPS+Required")
++++++++++++};
++++++++++++return;
++++++++}

+++++++//+get+toekn+from+the+header

++++++++var+userToken+=+actionContext.Request.Headers.GetValues("UserToken");
+++++++++//+Customer+Logic+to+check+the+validity+of+the+token.
++++++++//+U+can+have+some+DB+logic+to+check+,+custom+STS+behind+or+some+loca+cache+used+to+compare+the+values


++++}


}|code-block|syntax|javascript|2896031|}}|2896032|entityMap^0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|O|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|P|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|Q|8|@]|9|@]|A|$]]|$1|F|3|G|5|H|7|R|8|@]|9|@]|A|$I|J]]|$1|K|3|L|5|6|7|S|8|@]|9|@]|A|$]]|$1|M|3|-4|5|6|7|T|8|@]|9|@]|A|$]]]|N|$]]

U can use ActionFilterAttribute and override the OnActionExecuting method.
Later on register this filter in global.cs to apply this filter for all the actions like this in Application Start method

var config = GlobalConfiguration.Configuration;
 config.Filters.Add(new CustomAuthAttribute ());

{
namespace Customss
{
Public class CustomAuthAttribute : ActionFilterAttribute

<pre><code>{

 public override void OnActionExecuting(HttpActionContext actionContext)
 {
 // To inforce HTTPS if desired , else comment out the code
 if (!String.Equals(actionContext.Request.RequestUri.Scheme, "https", StringComparison.OrdinalIgnoreCase))
 {
 actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.BadRequest)
 {
 Content = new StringContent("HTTPS Required")
 };
 return;
 }

 // get toekn from the header

 var userToken = actionContext.Request.Headers.GetValues("UserToken");
 // Customer Logic to check the validity of the token.
 // U can have some DB logic to check , custom STS behind or some loca cache used to compare the values


 }


}
</code></pre>

}
}

How do I even begin coding authentication using ASP.NET Web API so it is cross-platform to support desktop, mobile and web? I'd read of some methods of doing RESTful authentication, such as using tokens in the header.

Are there any example projects out there that utilizes this method? 

Questions:

<ol>
<li>If not how do I fix the <code>[Authorize]</code> attribute to read the token? </li>
<li>How do I generate this token? I dont think i can use formsauthentication because that uses cookies.</li>
<li>How do I handle the actual authorization, do the client send raw password and username then I generate the token or is there some other way?</li>
<li>How do I handle when my website is using it? I heard this is handled differently than when an app is using it, such as getting the domain and authorizing it.</li>
</ol>

Cross platform authentication using ASP.NET Web API

文件存储

身份验证

数据库

我如何开始使用ASP.NET Web API编写身份验证代码，以便跨平台支持桌面、移动和web？我读过一些进行RESTful身份验证的方法，比如在头中使用令牌。有没有使用这种方法的示例项目？问题：如果没有，如何修复[Authorize]属性以读取令牌？如何生成此令牌？我不认为我可以使用表单身份验证，因为它使用cooki...

问使用ASP.NET Web API的跨平台身份验证
EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问使用ASP.NET Web API的跨平台身份验证EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问使用ASP.NET Web API的跨平台身份验证
EN