標籤:options 發送 標記 sub seo tar category time framework
ASP.NET Web API 2基於令牌的身分識別驗證
基於令牌的認證
我們知道WEB網站的身分識別驗證一般通過session或者cookie完成的,登入成功後用戶端發送的任何請求都帶上cookie,服務端根據用戶端發送來的cookie來識別使用者。
WEB API使用這樣的方法不是很適合,於是就有了基於令牌的認證,使用令牌認證有幾個好處:可擴充性、鬆散耦合、移動終端調用比較簡單等等,別人都用上了,你還有理由不用嗎?
下面我們花個20分鐘的時間來實現一個簡單的WEB API token認證:
Step 1: 建立一個空的WEB API項目,項目名稱就設定為WebApi
Step 2: 在Models目錄下建立一個 Product 類 :
按 Ctrl+C 複製代碼using System;using System.Collections.Generic;using System.Linq;using System.Web;namespace WebApi.Models{ public class Product { public int Id { get; set; } public string Name { get; set; } public string Category { get; set; } public decimal Price { get; set; } }}按 Ctrl+C 複製代碼
Step 3:在Controllers目錄下建立一個 ProductsController 類
按 Ctrl+C 複製代碼using System;using System.Collections.Generic;using System.Linq;using System.Net;using System.Web.Http;using WebApi.Models;namespace WebApi.Controllers{ [RoutePrefix("api/Products")] public class ProductsController : ApiController { Product[] products = new Product[] { new Product { Id = 1, Name = "Tomato Soup", Category = "Groceries", Price = 1 }, new Product { Id = 2, Name = "Yo-yo", Category = "Toys", Price = 3.75M }, new Product { Id = 3, Name = "Hammer", Category = "Hardware", Price = 16.99M } }; public IEnumerable<Product> GetAllProducts() { return products; } public Product GetProductById(int id) { var product = products.FirstOrDefault((p) => p.Id == id); if (product == null) { throw new HttpResponseException(HttpStatusCode.NotFound); } return product; } public IEnumerable<Product> GetProductsByCategory(string category) { return products.Where(p => string.Equals(p.Category, category, StringComparison.OrdinalIgnoreCase)); } }}按 Ctrl+C 複製代碼
F5運行後就可以使用這個簡單的WebApi了,測試api可以使用Postman工具:
擷取所有資料 http://localhost:1234/api/products
擷取內碼為1的資料 http://localhost:1234/api/products/1
查詢category=的資料 http://localhost:1234/api/products?category=Groceries
可以看到這個產品的API是公開訪問的,沒有任何驗證,這樣不是很安全,下一步我將加上token驗證。
Step 4:安裝所需的NuGet包:
開啟NuGet包管理器控制台,然後輸入如下指令:
Install-Package Microsoft.AspNet.WebApi.Owin -Version 5.1.2Install-Package Microsoft.Owin.Host.SystemWeb -Version 2.1.0Install-Package Microsoft.AspNet.Identity.Owin -Version 2.0.1 Install-Package Microsoft.Owin.Cors -Version 2.1.0 Install-Package EntityFramework -Version 6.0.0
Step 5:在項目根目錄下添加Owin“Startup”類
按 Ctrl+C 複製代碼using System;using System.Collections.Generic;using System.Linq;using System.Web;using System.Web.Http;using Owin;using Microsoft.Owin;using Microsoft.Owin.Security.OAuth;[assembly: OwinStartup(typeof(WebApi.Startup))]namespace WebApi{ public class Startup { public void Configuration(IAppBuilder app) { HttpConfiguration config = new HttpConfiguration(); ConfigureOAuth(app); WebApiConfig.Register(config); app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll); app.UseWebApi(config); } public void ConfigureOAuth(IAppBuilder app) { OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions() { AllowInsecureHttp = true, TokenEndpointPath = new PathString("/token"), AccessTokenExpireTimeSpan = TimeSpan.FromDays(1), Provider = new SimpleAuthorizationServerProvider() }; app.UseOAuthAuthorizationServer(OAuthServerOptions); app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()); } }}按 Ctrl+C 複製代碼
Step 6:刪除Global.asax
我們已經設定了Setup類,就不需要Global了,刪掉乾淨;
Step 7:在項目根目錄下添加驗證類 SimpleAuthorizationServerProvider,為了簡單使用者的驗證部分我們省略掉;
按 Ctrl+C 複製代碼using System;using System.Collections.Generic;using System.Linq;using System.Web;using System.Threading;using System.Threading.Tasks;using Microsoft.Owin;using Microsoft.Owin.Security.OAuth;using System.Security.Claims;namespace WebApi{ public class SimpleAuthorizationServerProvider : OAuthAuthorizationServerProvider { public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context) { context.Validated(); } public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" }); /* * 對使用者名稱、密碼進行資料校正,這裡我們省略 using (AuthRepository _repo = new AuthRepository()) { IdentityUser user = await _repo.FindUser(context.UserName, context.Password); if (user == null) { context.SetError("invalid_grant", "The user name or password is incorrect."); return; } }*/ var identity = new ClaimsIdentity(context.Options.AuthenticationType); identity.AddClaim(new Claim("sub", context.UserName)); identity.AddClaim(new Claim("role", "user")); context.Validated(identity); } }}按 Ctrl+C 複製代碼
Step 7:讓CORS起作用
在ASP.NET Web API中啟用OAuth的Access Token驗證非常簡單,只需在相應的Controller或Action加上[Authorize]標記
修改ProductsController類
按 Ctrl+C 複製代碼using System;using System.Collections.Generic;using System.Linq;using System.Net;using System.Web.Http;using WebApi.Models;namespace WebApi.Controllers{ public class ProductsController : ApiController { Product[] products = new Product[] { new Product { Id = 1, Name = "Tomato Soup", Category = "Groceries", Price = 1 }, new Product { Id = 2, Name = "Yo-yo", Category = "Toys", Price = 3.75M }, new Product { Id = 3, Name = "Hammer", Category = "Hardware", Price = 16.99M } }; [Authorize] [Route("")] public IEnumerable<Product> GetAllProducts() { return products; } [Authorize] public Product GetProductById(int id) { var product = products.FirstOrDefault((p) => p.Id == id); if (product == null) { throw new HttpResponseException(HttpStatusCode.NotFound); } return product; } [AllowAnonymous] public IEnumerable<Product> GetProductsByCategory(string category) { return products.Where(p => string.Equals(p.Category, category, StringComparison.OrdinalIgnoreCase)); } }}按 Ctrl+C 複製代碼
現在我們再次直接GET http://localhost:23477/api/products/ 會返回401錯誤,請求被拒絕
擷取token, POST http://localhost:23477/token
參數BODY x-www-form-urlencoded 格式:
grant_type=password
username=admin
password=123456
返回200狀態,內容為:
{ "access_token": "eLjAu3Alm2YWjJKXmX_fLY07P6vbIzxasFECkDap3KIE0Ydp7IGhTgrzWLtPdgrK46rfAB-OmJSG5C8Bh-PkfG3XrGS0uDea2KBXyoWSR11evTGJiVIyXny3Ih2DkH04qH2T_Ar4kIjcAngPtUnsEVex26tV4QHIrjCq5SlkOdfdAa9Pnl98QVwYH47yO-zlc55bwMgpR2J4fQLyNzWVHNZpH3DbOcHQ3Yenemr6XhM", "token_type": "bearer", "expires_in": 86399}
只要在http要求標頭中加上Authorization:bearer Token就可以成功訪問API就成功了:
GET http://localhost:23477/api/products/
Authorization : bearer eLjAu3Alm2YWjJKXmX_fLY07P6vbIzxasFECkDap3KIE0Ydp7IGhTgrzWLtPdgrK46rfAB-OmJSG5C8Bh-PkfG3XrGS0uDea2KBXyoWSR11evTGJiVIyXny3Ih2DkH04qH2T_Ar4kIjcAngPtUnsEVex26tV4QHIrjCq5SlkOdfdAa9Pnl98QVwYH47yO-zlc55bwMgpR2J4fQLyNzWVHNZpH3DbOcHQ3Yenemr6XhM
這樣我們就完成了簡單的WEB API的token驗證~
ASP.NET Web API 2基於令牌的身分識別驗證