Webapi local logon and webapi Logon

Webapi local logon and webapi Logon
WebApi authentication method

There are three authentication methods in asp.net WebApi

• Personal User Account. Users can register on the website or log on to external services such as google and facebook.
• Work and school accounts. Use the Active Directory and Office 365 for identity authentication.
• Windows Authentication. In the LAN.

There are two logon methods for an individual user account:

• Local Login. When a user registers on a website, the website stores the user's username and password hash values. The user provides the logon name and password, and the website uses the asp.net identity system for authentication.
• Social Login. Use external services such as google and facebook to log on. The website still creates a record for the user in the database, but does not save creden. The user logs on to the external service for authentication.

The difference between the two login methods is that the credential stream, no matter which method is used, WebApi uses oau2for identity authentication.

Oau2terms

• Resource ). Protected data.
• Resource Server ). The server that carries the resource.
• Resouce Owner (resource Owner ). The entity that can be authorized to access resources. A user is a typical resource owner.
• Client ). The application that accesses the resource.
• Access token ). The token that allows access to the resource.
• Bearer token ). This is an access token. The client does not need to add a key to it. The anonymous token should only be used on HTTPS and set a short validity period.
• Authorization server ). The server that issues the token.

In practice, resource accessors and authorized accessors can be the same application.

Process of local login creden

For local logon, WebApi uses the authorization type defined in oau22. This type of authorization applies when the resource owner trusts the client very much.

Is the specific program structure to implement this process

Here, the WebApi controller is a resource server. Authentication Filter verifies the token. Authorization Filter determines whether to authorize the token. The authorization server and Authentication Filter process the details specified by the oau2standard through the OWIN middleware.

AccountController uses asp.net identity to manage user data. Related Files include:

• \ App_Start \ IdentityConfig. cs
• \ Controllers \ AccountController. cs
• \ Models \ IdentityModels. cs
• \ Providers \ ApplicationOAuthProvider. cs

Configure the authorization Server

Configure the ConfigureAuth method in the Startup. Auth. cs file.

Public void ConfigureAuth (IAppBuilder app) {// configure the database context and User Manager to use a single instance app for each request. createPerOwinContext (ApplicationDbContext. create); app. createPerOwinContext <ApplicationUserManager> (ApplicationUserManager. create); // enable applications to use cookies to store information of logged-on users. // use cookies to temporarily store information about users logged-on using third-party login providers. useCookieAuthentication (new CookieAuthenticationOptions (); app. useExternalSignInCookie (DefaultAuthenticationTypes. externalCookie );// Configure the application PublicClientId = "self" for the OAuth-based stream; oautexceptions = new OAuthAuthorizationServerOptions {TokenEndpointPath = new PathString ("/Token"), Provider = new ApplicationOAuthProvider (PublicClientId ), authorizeEndpointPath = new PathString ("/api/Account/ExternalLogin"), AccessTokenExpireTimeSpan = TimeSpan. fromDays (14), // set AllowInsecureHttp = false AllowInsecureHttp = true} in production mode; // enable the application to use an anonymous token to verify the user identity of the app. useOAuthBearerTokens (oautexceptions );}

Use the TokenEndpointPath attribute to configure the end point of the authorization server. The application obtains an anonymous token through this URL. Configure the Provider to access the OWIN middleware Provider to process events triggered by the middleware.

Configure to use an anonymous token

Configure the WebApi to use an anonymous token in the WebAppiConfig. Register Method.

Public static void Register (HttpConfiguration config ){// Web API configuration and service // configure the Web API to use only an anonymous token for authentication. Config. SuppressDefaultHostAuthentication (); config. Filters. Add (new HostAuthenticationFilter (OAuthDefaults. AuthenticationType ));// Web API route config. mapHttpAttributeRoutes (); config. routes. mapHttpRoute (name: "DefaultApi", routeTemplate: "api/{controller}/{id}", defaults: new {id = RouteParameter. optional });}

Here, the SuppressDefaultHostAuthentication method is used to notify the web api to ignore the verification before the request enters the webapi pipeline, including iis and owin middleware. Use the HostAuthenticationFilter class to verify the secret token.

Get token

To obtain a token, follow these steps:

OAuth middleware does not know any information about the user account. The provider is used to coordinate middleware and ASP. NET Identity.

Access resources

• The HostAuthentication filter calls OAuth middleware to verify the token.
• Middleware converts tokens to claims identity
• The request is in the verified but unauthorized status.
• The authorization Filter checks the claims identity. If claims authorizes the user to access this resource, the request passes verification. By default, AuthorizeAttribute is authorized as long as the request has been verified. However, you can verify the role or other statements.
• If the preceding steps are successful, the Controller returns the protected resource. Otherwise, the system returns error 401.

 

 

Address: http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api