用于多个应用程序的OWIN身份验证服务器
我正在实施一个具有MVC客户端(在本地主机:4077/上称为此CLIENT)和WebAPI服务(在本地主机:4078/上称为API)的解决方案
I am in the process of implementing a solution that has an MVC client (lets call this CLIENT at localhost:4077/) with a WebAPI service (called API at localhost:4078/)
我已经在API中实现了OWIN OAuth,但想知道OWIN是否可以在单独的解决方案中实现(在localhost:4079/token称为AUTH)以生成CLIENT的令牌,然后CLIENT传递此令牌API(作为Bearer授权令牌)
I have implemented OWIN OAuth in the API but wanted to know whether the OWIN could be implemented in a separate solution (lets call it AUTH at localhost:4079/token) to generate the token for the CLIENT, then the CLIENT passes this to the API (as the Bearer authorisation token)
我要查询的原因是客户端可能会访问其他WebAPI服务,并且我想在客户端和所有API服务之间使用OWIN.
The reason i am querying this is that there is likely to be additional WebAPI services that will be accessed by the CLIENT and i'd like to use OWIN between the client and all API services.
问题是我不确定AUTH服务生成的令牌是否可用于授权CLIENT和所有API服务上的所有请求.
The issue is i am not sure if the token generated by the AUTH service could be used to authorise all requests on the CLIENT and all API services.
任何人都可以实现这样的功能,如果可以的话,我是OWIN和OAUTH的新手,所以我们将不胜感激
Has anyone implemented anything like this and if so could you provide an example, i am pretty new to OWIN and OAUTH so any help would be greatly appreciated
将授权服务器与资源服务器分离非常容易:如果您使用IIS,并且在IIS上配置了相同的机器密钥,那么即使没有任何额外的代码,它也可以正常工作.这两个应用程序/服务器.
Separating the authorization server from the resource server is extremely easy: it will even work without any extra code if you use IIS and if you have configured identical machine keys on both applications/servers.
如果您需要选择访问令牌可以访问哪些端点,则使用OWIN OAuth2服务器很难支持多个资源服务器.如果您不必担心,只需为所有资源服务器配置相同的机器密钥,便可以使用相同的令牌访问所有API.
Supporting multiple resource servers is a bit harder to implement with the OWIN OAuth2 server if you need to select which endpoints an access token can gain access to. If you don't care about that, just configure all your resource servers with the same machine keys, and you'll be able to access all your APIs with the same tokens.
要对可以与访问令牌一起使用的终结点进行更多控制,您应该查看 AspNet.Security.OpenIdConnect.Server -OWIN随附的OAuth2服务器的一个分支/Katana-本机支持此方案: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server .
To have more control over the endpoints that can be used with an access token, you should take a look at AspNet.Security.OpenIdConnect.Server - a fork of the OAuth2 server that comes with OWIN/Katana - that natively supports this scenario: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server.
设置相对容易:
在您的授权服务器应用程序中(在 Startup.cs 中)添加一个新的发行令牌的中间件:
Add a new middleware issuing tokens in your authorization server application (in Startup.cs):
app.UseOpenIdConnectServer(new OpenIdConnectServerOptions
{
Provider = new AuthorizationProvider()
});
在不同的API服务器(在 Startup.cs 中)中添加新的验证访问令牌的中间件:
Add new middleware validating access tokens in your different API servers (in Startup.cs):
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
// AllowedAudiences MUST contain the absolute URL of your API.
AllowedAudiences = new[] { "http://localhost:11111/" },
// X509CertificateSecurityTokenProvider MUST be initialized with an issuer corresponding to the absolute URL of the authorization server.
IssuerSecurityTokenProviders = new[] { new X509CertificateSecurityTokenProvider("http://localhost:50000/", certificate) }
});
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
// AllowedAudiences MUST contain the absolute URL of your API.
AllowedAudiences = new[] { "http://localhost:22222/" },
// X509CertificateSecurityTokenProvider MUST be initialized with an issuer corresponding to the absolute URL of the authorization server.
IssuerSecurityTokenProviders = new[] { new X509CertificateSecurityTokenProvider("http://localhost:50000/", certificate) }
});
最后,在客户端应用程序(在 Startup.cs 中)中添加新的OpenID Connect客户端中间件:
Finally, add a new OpenID Connect client middleware in your client app (in Startup.cs):
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
// Some essential parameters have been omitted for brevity.
// See https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/dev/samples/Mvc/Mvc.Client/Startup.cs for more information
// Authority MUST correspond to the absolute URL of the authorization server.
Authority = "http://localhost:50000/",
// Resource represents the different endpoints the
// access token should be issued for (values must be space-delimited).
// In this case, the access token will be requested for both APIs.
Resource = "http://localhost:11111/ http://localhost:22222/",
});
您可以查看此示例以获取更多信息: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/dev/samples/Mvc/
You can have a look at this sample for more information: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/dev/samples/Mvc/
它不使用多个资源服务器,但是使用我提到的不同步骤来适应它并不难.如果需要帮助,请随时与我联系.
It doesn't use multiple resource servers, but it shouldn't be hard to adapt it using the different steps I mentioned. Feel free to ping me if you need help.