在MVC和Web Api中拥有身份验证

本文关键字:拥有 身份验证 Api Web MVC | 更新日期: 2023-09-27 17:54:28

我试图在MVC控制器和Web Api控制器之间使用相同的身份验证。Web api在同一个项目中,只是在/Controllers/api/文件夹中。

当我通过MVC登录并创建一个声明和一个cookie时,我似乎不知道如何使用OWIN进行身份验证,就像下面的例子一样。

 var identity = new ClaimsIdentity(new[]
 {
  new Claim(ClaimTypes.Name,"Admin"),
  new Claim(ClaimTypes.Role,"Administrator")
  , "ApplicationCookie");
   var ctx = Request.GetOwinContext();
   var authManager = ctx.Authentication;
   authManager.SignIn(identity);
   return RedirectToAction("Index", "Home", null);
  }

在MVC控制器中一切都工作得很好,但我不能在我的web API控制器上使用[Authorize(Roles="Administrator"]属性并使其正常工作。不管怎样,它总是让我通过。

感谢

编辑:我唯一能够解决这个问题的方法是有一个静态类和属性存储IPrincipal,然后当重写授权属性时,查找该属性并检查角色是否存在这种方式。我不确定这是不是一个好主意?

在MVC和Web Api中拥有身份验证

您的认证代码写在哪里?MVC控制器还是Web API控制器?我建议在你的web API控制器中有它,这样你以后就可以在任何其他应用程序(SPA或任何其他web应用程序)中使用它。您需要构建授权服务器/资源服务器模型(对不起,我的英语不确定如何构建这句话)。在您的示例中,Web API和MVC站点都是资源服务器。

下面是JWT + Cookie中间件的示例

使用带有WEB API和ASP的JWT构建授权服务器。这里解释的网络身份http://bitoftech.net/2015/02/16/implement-oauth-json-web-tokens-authentication-in-asp-net-web-api-and-identity-2/

一旦你这样做了,你的webapi startup.cs将如下所示

    /// Configures cookie auth for web apps and JWT for SPA,Mobile apps
    private void ConfigureOAuthTokenGeneration(IAppBuilder app)
    {
        // Configure the db context, user manager and role manager to use a single instance per request
        app.CreatePerOwinContext(ApplicationDbContext.Create);
        app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
        app.CreatePerOwinContext<ApplicationRoleManager>(ApplicationRoleManager.Create);
        //Cookie for old school MVC application
        var cookieOptions = new CookieAuthenticationOptions
        {
            AuthenticationMode = AuthenticationMode.Active,
            CookieHttpOnly = true, // JavaScript should use the Bearer
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,                
            LoginPath = new PathString("/api/Account/Login"),
            CookieName = "AuthCookie"
        };
        // Plugin the OAuth bearer JSON Web Token tokens generation and Consumption will be here
        app.UseCookieAuthentication(new CookieAuthenticationOptions());
        OAuthServerOptions = new OAuthAuthorizationServerOptions()
        {
            //For Dev enviroment only (on production should be AllowInsecureHttp = false)
            AllowInsecureHttp = true,
            TokenEndpointPath = new PathString("/oauth/token"),
            AccessTokenExpireTimeSpan = TimeSpan.FromDays(30),
            Provider = new CustomOAuthProvider(),                
            AccessTokenFormat = new CustomJwtFormat(ConfigurationManager.AppSettings["JWTPath"])
        };
        // OAuth 2.0 Bearer Access Token Generation
        app.UseOAuthAuthorizationServer(OAuthServerOptions);
   }

你可以在这里找到CustomOAuthProvider,CustomJwtFormat类https://github.com/tjoudeh/AspNetIdentity.WebApi/tree/master/AspNetIdentity.WebApi/Providers

在你的MVC应用中添加下面的startup.cs

public void Configuration(IAppBuilder app)
    {
            ConfigureOAuthTokenConsumption(app);
    }
    private void ConfigureOAuthTokenConsumption(IAppBuilder app)
    {
        var issuer = ConfigurationManager.AppSettings["AuthIssuer"];
        string audienceid = ConfigurationManager.AppSettings["AudienceId"];
        byte[] audiencesecret = TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["AudienceSecret"]);
        app.UseCookieAuthentication(new CookieAuthenticationOptions { CookieName = "AuthCookie" , AuthenticationType=DefaultAuthenticationTypes.ApplicationCookie });
        //// Api controllers with an [Authorize] attribute will be validated with JWT
        app.UseJwtBearerAuthentication(
            new JwtBearerAuthenticationOptions
            {
                AuthenticationMode = AuthenticationMode.Passive,
                AuthenticationType = "JWT",
                AllowedAudiences = new[] { audienceid },
                IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
                {
                    new SymmetricKeyIssuerSecurityTokenProvider(issuer, audiencesecret)                           
                }
            });
    }

在您的MVC控制器中,当您收到令牌时,将其反序列化并从acceSs令牌生成cookie 

            AccessClaims claimsToken = new AccessClaims();
            claimsToken = JsonConvert.DeserializeObject<AccessClaims>(response.Content);
            claimsToken.Cookie = response.Cookies[0].Value;               
            Request.Headers.Add("Authorization", "bearer " + claimsToken.access_token);
            var ctx = Request.GetOwinContext();
            var authenticateResult = await ctx.Authentication.AuthenticateAsync("JWT");
            ctx.Authentication.SignOut("JWT");
            var applicationCookieIdentity = new ClaimsIdentity(authenticateResult.Identity.Claims, DefaultAuthenticationTypes.ApplicationCookie);
            ctx.Authentication.SignIn(applicationCookieIdentity);

这样就会创建一个cookie,并且MVC站点中的[authorization]属性和WebAPI将会尊重这个cookie。

相关文章: