ASP.NET Web API 2基於令牌的身分識別驗證

來源:互聯網
上載者:User

標籤:options   發送   標記   sub   seo   tar   category   time   framework   

ASP.NET Web API 2基於令牌的身分識別驗證

基於令牌的認證

    我們知道WEB網站的身分識別驗證一般通過session或者cookie完成的,登入成功後用戶端發送的任何請求都帶上cookie,服務端根據用戶端發送來的cookie來識別使用者。

    WEB API使用這樣的方法不是很適合,於是就有了基於令牌的認證,使用令牌認證有幾個好處:可擴充性、鬆散耦合、移動終端調用比較簡單等等,別人都用上了,你還有理由不用嗎?

    下面我們花個20分鐘的時間來實現一個簡單的WEB API token認證:

 

Step 1: 建立一個空的WEB API項目,項目名稱就設定為WebApi

 

Step 2: 在Models目錄下建立一個 Product 類 :

按 Ctrl+C 複製代碼using System;using System.Collections.Generic;using System.Linq;using System.Web;namespace WebApi.Models{ public class Product { public int Id { get; set; } public string Name { get; set; } public string Category { get; set; } public decimal Price { get; set; } }}按 Ctrl+C 複製代碼

Step 3:在Controllers目錄下建立一個 ProductsController 類

按 Ctrl+C 複製代碼using System;using System.Collections.Generic;using System.Linq;using System.Net;using System.Web.Http;using WebApi.Models;namespace WebApi.Controllers{ [RoutePrefix("api/Products")] public class ProductsController : ApiController { Product[] products = new Product[] { new Product { Id = 1, Name = "Tomato Soup", Category = "Groceries", Price = 1 }, new Product { Id = 2, Name = "Yo-yo", Category = "Toys", Price = 3.75M }, new Product { Id = 3, Name = "Hammer", Category = "Hardware", Price = 16.99M } }; public IEnumerable<Product> GetAllProducts() { return products; } public Product GetProductById(int id) { var product = products.FirstOrDefault((p) => p.Id == id); if (product == null) { throw new HttpResponseException(HttpStatusCode.NotFound); } return product; } public IEnumerable<Product> GetProductsByCategory(string category) { return products.Where(p => string.Equals(p.Category, category, StringComparison.OrdinalIgnoreCase)); } }}按 Ctrl+C 複製代碼

F5運行後就可以使用這個簡單的WebApi了,測試api可以使用Postman工具:

    擷取所有資料  http://localhost:1234/api/products

    擷取內碼為1的資料  http://localhost:1234/api/products/1

    查詢category=的資料  http://localhost:1234/api/products?category=Groceries

 

    可以看到這個產品的API是公開訪問的,沒有任何驗證,這樣不是很安全,下一步我將加上token驗證。

 

Step 4:安裝所需的NuGet包:

開啟NuGet包管理器控制台,然後輸入如下指令:

Install-Package Microsoft.AspNet.WebApi.Owin -Version 5.1.2Install-Package Microsoft.Owin.Host.SystemWeb -Version 2.1.0Install-Package Microsoft.AspNet.Identity.Owin -Version 2.0.1 Install-Package Microsoft.Owin.Cors -Version 2.1.0 Install-Package EntityFramework -Version 6.0.0 

Step 5:在項目根目錄下添加Owin“Startup”類

按 Ctrl+C 複製代碼using System;using System.Collections.Generic;using System.Linq;using System.Web;using System.Web.Http;using Owin;using Microsoft.Owin;using Microsoft.Owin.Security.OAuth;[assembly: OwinStartup(typeof(WebApi.Startup))]namespace WebApi{ public class Startup { public void Configuration(IAppBuilder app) { HttpConfiguration config = new HttpConfiguration(); ConfigureOAuth(app); WebApiConfig.Register(config); app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll); app.UseWebApi(config); } public void ConfigureOAuth(IAppBuilder app) { OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions() { AllowInsecureHttp = true, TokenEndpointPath = new PathString("/token"), AccessTokenExpireTimeSpan = TimeSpan.FromDays(1), Provider = new SimpleAuthorizationServerProvider() }; app.UseOAuthAuthorizationServer(OAuthServerOptions); app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()); } }}按 Ctrl+C 複製代碼

 

Step 6:刪除Global.asax 

我們已經設定了Setup類,就不需要Global了,刪掉乾淨;

 

Step 7:在項目根目錄下添加驗證類 SimpleAuthorizationServerProvider,為了簡單使用者的驗證部分我們省略掉;

按 Ctrl+C 複製代碼using System;using System.Collections.Generic;using System.Linq;using System.Web;using System.Threading;using System.Threading.Tasks;using Microsoft.Owin;using Microsoft.Owin.Security.OAuth;using System.Security.Claims;namespace WebApi{ public class SimpleAuthorizationServerProvider : OAuthAuthorizationServerProvider { public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context) { context.Validated(); } public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" }); /* * 對使用者名稱、密碼進行資料校正,這裡我們省略 using (AuthRepository _repo = new AuthRepository()) { IdentityUser user = await _repo.FindUser(context.UserName, context.Password); if (user == null) { context.SetError("invalid_grant", "The user name or password is incorrect."); return; } }*/ var identity = new ClaimsIdentity(context.Options.AuthenticationType); identity.AddClaim(new Claim("sub", context.UserName)); identity.AddClaim(new Claim("role", "user")); context.Validated(identity); } }}按 Ctrl+C 複製代碼

 

Step 7:讓CORS起作用

在ASP.NET Web API中啟用OAuth的Access Token驗證非常簡單,只需在相應的Controller或Action加上[Authorize]標記

修改ProductsController類

按 Ctrl+C 複製代碼using System;using System.Collections.Generic;using System.Linq;using System.Net;using System.Web.Http;using WebApi.Models;namespace WebApi.Controllers{ public class ProductsController : ApiController { Product[] products = new Product[] { new Product { Id = 1, Name = "Tomato Soup", Category = "Groceries", Price = 1 }, new Product { Id = 2, Name = "Yo-yo", Category = "Toys", Price = 3.75M }, new Product { Id = 3, Name = "Hammer", Category = "Hardware", Price = 16.99M } }; [Authorize] [Route("")] public IEnumerable<Product> GetAllProducts() { return products; } [Authorize] public Product GetProductById(int id) { var product = products.FirstOrDefault((p) => p.Id == id); if (product == null) { throw new HttpResponseException(HttpStatusCode.NotFound); } return product; } [AllowAnonymous] public IEnumerable<Product> GetProductsByCategory(string category) { return products.Where(p => string.Equals(p.Category, category, StringComparison.OrdinalIgnoreCase)); } }}按 Ctrl+C 複製代碼

 

現在我們再次直接GET http://localhost:23477/api/products/ 會返回401錯誤,請求被拒絕

 

擷取token, POST   http://localhost:23477/token

參數BODY x-www-form-urlencoded 格式:

grant_type=password

username=admin 

password=123456

返回200狀態,內容為:

{  "access_token": "eLjAu3Alm2YWjJKXmX_fLY07P6vbIzxasFECkDap3KIE0Ydp7IGhTgrzWLtPdgrK46rfAB-OmJSG5C8Bh-PkfG3XrGS0uDea2KBXyoWSR11evTGJiVIyXny3Ih2DkH04qH2T_Ar4kIjcAngPtUnsEVex26tV4QHIrjCq5SlkOdfdAa9Pnl98QVwYH47yO-zlc55bwMgpR2J4fQLyNzWVHNZpH3DbOcHQ3Yenemr6XhM",  "token_type": "bearer",  "expires_in": 86399}

只要在http要求標頭中加上Authorization:bearer Token就可以成功訪問API就成功了:

GET   http://localhost:23477/api/products/

Authorization : bearer eLjAu3Alm2YWjJKXmX_fLY07P6vbIzxasFECkDap3KIE0Ydp7IGhTgrzWLtPdgrK46rfAB-OmJSG5C8Bh-PkfG3XrGS0uDea2KBXyoWSR11evTGJiVIyXny3Ih2DkH04qH2T_Ar4kIjcAngPtUnsEVex26tV4QHIrjCq5SlkOdfdAa9Pnl98QVwYH47yO-zlc55bwMgpR2J4fQLyNzWVHNZpH3DbOcHQ3Yenemr6XhM

 

這樣我們就完成了簡單的WEB API的token驗證~

ASP.NET Web API 2基於令牌的身分識別驗證

聯繫我們

該頁面正文內容均來源於網絡整理,並不代表阿里雲官方的觀點,該頁面所提到的產品和服務也與阿里云無關,如果該頁面內容對您造成了困擾,歡迎寫郵件給我們,收到郵件我們將在5個工作日內處理。

如果您發現本社區中有涉嫌抄襲的內容,歡迎發送郵件至: info-contact@alibabacloud.com 進行舉報並提供相關證據,工作人員會在 5 個工作天內聯絡您,一經查實,本站將立刻刪除涉嫌侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.