Assuming that I currently have a newly created project based on Visual Studio 2015 "WebApp" template with Individual Accounts authentication, I use Microsoft.AspNet.Authentication package and I can't always rely on cookies, because my web API should also target mobile apps:
假设我目前有一个新创建的项目基于Visual Studio 2015“WebApp”模板和个人帐户身份验证,我使用Microsoft.AspNet.Authentication包,我不能总是依赖cookie,因为我的Web API也应该针对移动应用程序:
How can I add authentication to my web API? I'm especially interested in token based authentication.
如何向我的Web API添加身份验证?我对基于令牌的身份验证特别感兴趣。
3 个解决方案
#1
4
You can use basic http authentication or implement a similar one with a token or ticket passed through http headers.
您可以使用基本的http身份验证或使用通过http标头传递的令牌或票证实现类似的身份验证。
#2
3
Implement custom AuthorizeAttribute in your web api project. In IsAuthorized(HttpActionContext actionContext) overload you can check the authorization scheme and authorization header and then you can connect to your sessions provider and check if the user has an active session. You must pass the login token in the authorization header, so if the token is missing that means there is no active user. So when you login you must create and encrypt the token on successful login. Then pass this token with each request to the server.
This blog contains more information about using AuthorizeAttribute: http://weblogs.asp.net/jongalloway/asp-net-mvc-authentication-customizing-authentication-and-authorization-the-right-way
在您的web api项目中实现自定义AuthorizeAttribute。在IsAuthorized(HttpActionContext actionContext)重载中,您可以检查授权方案和授权标头,然后您可以连接到会话提供程序并检查用户是否具有活动会话。您必须在授权标头中传递登录令牌,因此如果缺少令牌,则表示没有活动用户。因此,当您登录时,您必须在成功登录时创建并加密令牌。然后将此令牌与每个请求一起传递给服务器。此博客包含有关使用AuthorizeAttribute的更多信息:http://weblogs.asp.net/jongalloway/asp-net-mvc-authentication-customizing-authentication-and-authorization-the-right-way
#3
3
You can make separate table in db for storing authentication detail (AuthKey, UserID, CreatedDate, ExpiredDate, IsExpired) and make functions like CheckAuthorizationKey(string authKey), ExtendAuthorization(string authKey), ExpireAuthorization(string authKey){}
您可以在db中创建单独的表来存储身份验证详细信息(AuthKey,UserID,CreatedDate,ExpiredDate,IsExpired),并使函数像CheckAuthorizationKey(字符串authKey),ExtendAuthorization(字符串authKey),ExpireAuthorization(字符串authKey){}
and call that functions for checking the authorization as below sample code.
并调用该功能以检查授权,如下面的示例代码。
public ServiceResult<LoginModel> Login(string auth_key)
{
var service = new ServiceResult<LoginModel>();
LoginModel user = new LoginModel();
if (AuthKey.CheckAuthorizationKey(auth_key) == false)
{
service.message = TemplateCodes.GetMessage(TemplateCodes.UnAuthorize, null, db);
service.status = ServiceStatus.authorization_failed;
return service;
}
#1
4
You can use basic http authentication or implement a similar one with a token or ticket passed through http headers.
您可以使用基本的http身份验证或使用通过http标头传递的令牌或票证实现类似的身份验证。
#2
3
Implement custom AuthorizeAttribute in your web api project. In IsAuthorized(HttpActionContext actionContext) overload you can check the authorization scheme and authorization header and then you can connect to your sessions provider and check if the user has an active session. You must pass the login token in the authorization header, so if the token is missing that means there is no active user. So when you login you must create and encrypt the token on successful login. Then pass this token with each request to the server.
This blog contains more information about using AuthorizeAttribute: http://weblogs.asp.net/jongalloway/asp-net-mvc-authentication-customizing-authentication-and-authorization-the-right-way
在您的web api项目中实现自定义AuthorizeAttribute。在IsAuthorized(HttpActionContext actionContext)重载中,您可以检查授权方案和授权标头,然后您可以连接到会话提供程序并检查用户是否具有活动会话。您必须在授权标头中传递登录令牌,因此如果缺少令牌,则表示没有活动用户。因此,当您登录时,您必须在成功登录时创建并加密令牌。然后将此令牌与每个请求一起传递给服务器。此博客包含有关使用AuthorizeAttribute的更多信息:http://weblogs.asp.net/jongalloway/asp-net-mvc-authentication-customizing-authentication-and-authorization-the-right-way
#3
3
You can make separate table in db for storing authentication detail (AuthKey, UserID, CreatedDate, ExpiredDate, IsExpired) and make functions like CheckAuthorizationKey(string authKey), ExtendAuthorization(string authKey), ExpireAuthorization(string authKey){}
您可以在db中创建单独的表来存储身份验证详细信息(AuthKey,UserID,CreatedDate,ExpiredDate,IsExpired),并使函数像CheckAuthorizationKey(字符串authKey),ExtendAuthorization(字符串authKey),ExpireAuthorization(字符串authKey){}
and call that functions for checking the authorization as below sample code.
并调用该功能以检查授权,如下面的示例代码。
public ServiceResult<LoginModel> Login(string auth_key)
{
var service = new ServiceResult<LoginModel>();
LoginModel user = new LoginModel();
if (AuthKey.CheckAuthorizationKey(auth_key) == false)
{
service.message = TemplateCodes.GetMessage(TemplateCodes.UnAuthorize, null, db);
service.status = ServiceStatus.authorization_failed;
return service;
}