使用本地帐户消费安全的ASP-Net5 web api

本文关键字:安全 ASP-Net5 web api | 更新日期: 2023-09-27 18:27:09

我需要使用本地帐户从Web客户端使用ASP.NET 5安全Web API。过去有一个处理程序发布承载令牌以支持OAuth,现在承载令牌发布的责任从身份中删除了。有些人建议使用identityServer3,它需要客户端注册,这与identity2方法不同。在ASP.NET 5 Web API中实现授权的最简单方法是什么?在使用资源所有者密码流时,如何避免为了获得访问令牌而传递客户端id和客户端机密?如何调用api避免传递作用域?

使用本地帐户消费安全的ASP-Net5 web api

我用身份密码哈希器构建了一个简单的承载令牌颁发器。你可以在下面看到完整的代码:

public class TokenController : Controller
{
    private readonly IBearerTokenGenerator generator;
    private readonly IClientsManager clientsManager;
    private readonly IOptions<TokenAuthOptions> options;
    public TokenController(IBearerTokenGenerator generator,
        IClientsManager clientsManager,
        IOptions<TokenAuthOptions> options)
    {
        this.generator = generator;
        this.clientsManager = clientsManager;
        this.options = options;
    }
    [HttpPost, AllowAnonymous]
    public IActionResult Post(AuthenticationViewModel req)
    {
        return clientsManager
            .Find(req.client_id, req.client_secret)
            .Map(c => c.Client)
            .Map(c => (IActionResult)new ObjectResult(new {
                access_token = generator.Generate(c),
                expires_in = options.Value.ExpirationDelay.TotalSeconds,
                token_type = "Bearer"
            }))
            .ValueOrDefault(HttpUnauthorized);
    }
}
public class BearerTokenGenerator : IBearerTokenGenerator
{
    private readonly IOptions<TokenAuthOptions> tokenOptions;
    public BearerTokenGenerator(IOptions<TokenAuthOptions> tokenOptions)
    {
        this.tokenOptions = tokenOptions;
    }
    public string Generate(Client client)
    {
        var expires = Clock.UtcNow.Add(tokenOptions.Value.ExpirationDelay);
        var handler = new JwtSecurityTokenHandler();
        var identity = new ClaimsIdentity(new GenericIdentity(client.Identifier, "TokenAuth"), new Claim[] {
            new Claim("client_id", client.Identifier)
        });
        var securityToken = handler.CreateToken(
            issuer: tokenOptions.Value.Issuer,
            audience: tokenOptions.Value.Audience,
            signingCredentials: tokenOptions.Value.SigningCredentials,
            subject: identity,
            expires: expires);
        return handler.WriteToken(securityToken);
    }
}
public class ClientsManager : IClientsManager
{
    private readonly MembershipDataContext db;
    private readonly ISecretHasher hasher;
    public ClientsManager(MembershipDataContext db,
        ISecretHasher hasher)
    {
        this.db = db;
        this.hasher = hasher;
    }
    public void Create(string name, string identifier, string secret, Company company)
    {
        var client = new Client(name, identifier, company);
        db.Clients.Add(client);
        var hash = hasher.HashSecret(secret);
        var apiClient = new ApiClient(client, hash);
        db.ApiClients.Add(apiClient);
    }
    public Option<ApiClient> Find(string identifier, string secret)
    {
        return FindByIdentifier(identifier)
            .Where(c => hasher.Verify(c.SecretHash, secret));
    }
    public void ChangeSecret(string identifier, string secret)
    {
        var client = FindByIdentifier(identifier).ValueOrDefault(() => {
            throw new ArgumentException($"could not find any client with identifier { identifier }");
        });
        var hash = hasher.HashSecret(secret);
        client.ChangeSecret(hash);
    }
    public string GenerateRandomSecret()
    {
        const string chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
        var random = new Random();
        var generated = new string(Enumerable.Repeat(chars, 12).Select(s => s[random.Next(s.Length)]).ToArray());
        return Convert.ToBase64String(Encoding.UTF8.GetBytes(generated));
    }
    private Option<ApiClient> FindByIdentifier(string identifier)
    {
        return db.ApiClients
            .Include(c => c.Client)
            .SingleOrDefault(c => c.Client.Identifier == identifier)
            .ToOptionByRef();
    }
}
public class SecretHasher : ISecretHasher
{
    private static Company fakeCompany = new Company("fake", "fake");
    private static Client fakeClient = new Client("fake", "fake", fakeCompany);
    private readonly IPasswordHasher<Client> hasher;
    public SecretHasher(IPasswordHasher<Client> hasher)
    {
        this.hasher = hasher;
    }
    public string HashSecret(string secret)
    {
        return hasher.HashPassword(fakeClient, secret);
    }
    public bool Verify(string hashed, string secret)
    {
        return hasher.VerifyHashedPassword(fakeClient, hashed, secret) == PasswordVerificationResult.Success;
    }
}

现在处于Startup.cs

            services.Configure<TokenAuthOptions>(options =>
        {
            options.Audience = "API";
            options.Issuer = "Web-App";
            options.SigningCredentials = new SigningCredentials(GetSigninKey(), SecurityAlgorithms.RsaSha256Signature);
            options.ExpirationDelay = TimeSpan.FromDays(365);
        });
            services.AddAuthorization(auth =>
        {
            auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder()
                .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme‌​)
                .RequireAuthenticatedUser()
                .Build());
        }
        app.UseJwtBearerAuthentication(options =>
        {
            options.TokenValidationParameters.IssuerSigningKey = GetSigninKey();
            options.TokenValidationParameters.ValidAudience = "API";
            options.TokenValidationParameters.ValidIssuer = "Web-App";
            options.TokenValidationParameters.ValidateSignature = true;
            options.TokenValidationParameters.ValidateLifetime = true;
            options.TokenValidationParameters.ClockSkew = TimeSpan.FromMinutes(0);
        });
相关文章: