使用 OAuth 保护我的 REST API,同时仍然允许通过第三方 OAuth 提供程序进行身份验证(使用 DotNetOpenAuth)
我有一个带有简单 REST API 的产品,因此该产品的用户可以直接与产品的功能集成,而无需使用我的网络用户界面.
I have a product with a straightforward REST API so that users of the product can directly integrate with the product's features without using my web user interface.
最近,我收到了许多第三方关于将他们的桌面客户端与 API 集成以允许我的产品的用户使用该第三方应用程序访问他们的数据的兴趣.
Recently I have been getting interest from various third parties about integrating their desktop clients with the API to allow users of my product to access their data using that third party application.
我已经看到想要使用 Twitter 的应用程序使用 Twitter 托管的登录页面进行身份验证,该页面授予特定应用程序访问该用户数据的权限.您单击允许"或拒绝"按钮,身份验证过程就完成了.据我所知,Facebook 使用了相同的机制.
I've seen that applications that want to use Twitter authenticate using a login page hosted by Twitter that grants a specific application permission to access that user's data. You click the "Allow" or "Deny" button and the authentication process is complete. Facebook uses the same mechanism as best I can tell.
经过进一步研究,这似乎是 OAuth 在起作用,并且看到我的 API 是基于 .Net 的,我想我应该使用 DotNetOpenAuth 并提供类似的机制.不幸的是,这些示例的文档很少(如果有的话),而且我可以在网上找到的唯一教程似乎侧重于帮助您为用户提供登录机制,以便他们可以使用第三方提供商登录您的网站.
Upon further research, this seems to be OAuth in action, and seeing as my API is .Net-based, I am thinking I should use DotNetOpenAuth and provide a similar mechanism. Unfortunately the samples are sparsely documented (if at all) and the only tutorials I can find online seem to be focussed on helping you provide a login mechanism for your users so that they can log into your website using a third party provider.
我真正想做的是让我的 REST API 处理我的 Web 应用程序的所有核心身份验证和业务逻辑,并且在幕后,我的 Web 应用程序本质上是另一个应用程序仅通过 OAuth 使用 API.用户将直接使用他们的用户名和密码在网站上进行身份验证,或者通过 MyOpenID 或 Facebook 等第三方提供商进行身份验证,然后网站会以某种方式使用返回的令牌对 REST API 进行身份验证.
What I would really like to do is have my REST API handle all of the core authentication and business logic for my web application and have, under the hood, my web application essentially be another application that just uses the API via OAuth. Users would authenticate on the website either directly using their username and password, or via a third party provider such as MyOpenID or Facebook and then the website would somehow use the returned token to authenticate against the REST API.
基本上看起来我需要我的 API 以某种方式托管 OAuth 服务,但也让用户使用第三方 OAuth 服务.我不禁认为我对 OAuth 没有足够的了解来决定我是否过于复杂,或者我正在尝试做的事情是好的还是坏的做事方式.
It basically looks like I need my API to somehow host an OAuth service, but also have users use a third party OAuth service. I can't help but think I don't quite have enough of a grasp on OAuth to decide if I'm overcomplicating things or if what I'm trying to do is a good or bad way to do things.
有人至少可以大致概述一下我需要采取的步骤,或者我应该注意什么才能实现这一点?或者指点我一些教程?或者抨击我的提议并告诉我我的(架构上)全错了?
Can someone give me at least a broad overview of the steps I need to undertake, or what I should look at to make this happen? Or point me at some tutorials? Or blast my proposal and tell me I'm going about this (architecturally) all wrong?
首先我想强调一下认证和授权的区别:
First I'd like to emphasize the difference between authentication and authorization:
用户通过提供一些凭据(例如用户名+密码)对您的网站进行身份验证.OpenID 允许通过让用户验证到另一个服务来取代这一点,然后该服务代表用户向您的网站声明用户的身份.您的站点信任第三方服务(OpenID 提供程序),因此认为用户已登录.
A user authenticates to your web site by supplying some credential such as a username+password. OpenID allows this to be displaced by having the user authenticate to another service, which then asserts the user's identity to your web site on the user's behalf. Your site trusts the third party service (the OpenID Provider) and therefore considers the user logged in.
服务或应用程序不会对您的网站进行身份验证——至少通常不会.用户授权服务或应用程序访问用户的数据.这通常由请求服务提供商授权的应用程序完成,然后将用户发送到服务提供商,在那里用户首先进行身份验证(因此服务提供商知道与谁交谈),然后用户对站点说是的,[应用程序] 可以[以某种受限制的方式] 访问我的数据".从那时起,应用程序使用授权令牌来访问服务提供商站点上的用户数据.请注意,应用程序不会像用户一样对自身进行身份验证,而是使用另一个代码来确保服务有权访问特定用户的数据.
A service or application does not authenticate to your web site -- at least not typically. A user authorizes a service or application to access the user's data. This is typically done by the application requesting authorization of the service provider, then sending the user to the service provider, where the user first authenticates (so the service provider knows who its talking to) and then the user says to the site "yes, it's ok for [application] to access my data [in some restricted way]". From then on, the application uses an authorization token to access the user data on the service provider site. Note that the application does not authenticate itself as if it were the user, but it uses another code to assure the service that it is authorized to access a particular user's data.
因此,通过澄清区别,您可以完全独立地在您的站点上做出有关身份验证和授权的决定.例如,如果您希望您的用户能够使用以下所有内容登录:用户名+密码、OpenID 和 Facebook,您可以这样做.一个完全正交的决定是您如何授权应用程序(您可以使用许多协议,OAuth 当然非常流行).
So with that distinction clarified, you can make decisions on your site about authentication and authorization completely independently. For instance, if you want your users to be able to log in with all of: username+password, OpenID, and Facebook, you can do that. A completely orthogonal decision is how you authorize applications (there are many protocols you can use for this, OAuth of course being quite popular).
OpenID 专注于用户身份验证.OAuth 专注于应用授权.但是,Facebook 和 Twitter 等少数服务选择使用 OAuth 进行身份验证和授权,而不是使用 OpenID 进行身份验证和 OAuth 进行授权.
OpenID is focused on user authentication. OAuth is focused on application authorization. However, a few services such as Facebook and Twitter have chosen to use OAuth for authentication and authorization instead of using OpenID for authentication and OAuth for authorization.
现在对于您自己的项目,我强烈建议您查看 ASP.NET MVC 2 OpenID 网站 (C#) 项目模板可从 VS Gallery 获得.它带有开箱即用的 OpenID 身份验证和 OAuth 服务提供商支持.这意味着您的用户可以使用 OpenID 登录,并且 3rd 方应用程序和服务可以使用 OAuth 对您的网站进行 API 调用并访问用户数据.
Now for your own project, I strongly recommend you check out the ASP.NET MVC 2 OpenID web site (C#) project template available from the VS Gallery. Out of the box it comes with OpenID authentication and OAuth Service Provider support. This means your users can log in with OpenID, and 3rd party applications and services can use OAuth to make API calls to your web site and access user data.
听起来您希望在开始后添加到此项目模板的是您的用户能够使用用户名+密码以及 OpenID 登录.此外,如果您希望 Facebook 和 Twitter 成为您的用户的一个选项,您也必须实现这一点,因为它们不使用 OpenID 标准.但 DotNetOpenAuth 下载包含使用 Twitter 和 Facebook 登录的示例,因此您可以从中获得一些指导.
What it sounds like you'd want to add to this project template once you get going is the ability for your users to log in with username+password as well as OpenID. Also, if you want Facebook and Twitter to be an option for your users you must implement that as well since they don't use the OpenID standard. But the DotNetOpenAuth download includes samples for logging in with Twitter and Facebook so you have some guidance there.
我怀疑您在授权方面没有什么可做的.正如我之前所说,它带有 OAuth,这对您来说可能就足够了.
I suspect you won't have much if anything to do on the authorization front. It comes with OAuth as I said before, and that will probably suffice for you.