I am trying to create a rest service using asp.net web api and everything is working fine but I have now come across what to do with authentication.
我正在尝试使用asp.net web api创建一个休息服务,一切正常,但我现在遇到了如何处理身份验证。
I am a little confused of where to start, here is what I have been thinking.
我对从哪里开始有点困惑,这是我一直在想的。
I have an rest api I am developing that consist of a number of resources, each resource will need the user to be registered so what is the best action for doing this? Should I just send the username and password in the header on each call to the service so I can authenticate on the server using
我有一个休息api我正在开发包含许多资源,每个资源都需要用户注册,这样做的最佳动作是什么?我是否应该在每次调用服务时在标头中发送用户名和密码,以便我可以使用服务器进行身份验证
AuthorizationFilterAttribute
AuthorizationFilterAttribute
I should at least encrypt it though? I would really love to know what others are doing, I know there is a concept of creating a token (which I presume will be short lived) so hence the user would authenticate and then would receive a token, this token would then be sent on further calls to the service. The token would need to be short lived I presume? So how would I handle the problem when the token expires?
我应该至少加密它?我真的很想知道其他人在做什么,我知道有一个创建令牌的概念(我认为这将是短暂的),因此用户将进行身份验证,然后将收到一个令牌,然后这个令牌将被发送进一步调用该服务。我认为令牌需要短暂存在吗?那么当令牌到期时我该如何处理这个问题呢?
I also have a resource that is used to register a new user, actually the only things that will be calling this is my clients (android, iphone). SO should I leave it FREE of any authentication methods or put a hard coded password or something similar so that at least nobody else can register new users? Bearing in mind that the service will be public on the internet.
我还有一个用于注册新用户的资源,实际上唯一会调用它的是我的客户端(android,iphone)。我应该免费使用任何身份验证方法,或者使用硬编码密码或类似的东西,以便至少没有其他人可以注册新用户?请记住,该服务将在互联网上公开。
I would really appreciate any feedback any one has on this.
我真的很感激任何人对此有任何反馈。
I just don't seem to be able to find the correct way of doing this, I certainly want to try and get it right the first time so I don't have to refactor the service completely.
我似乎无法找到正确的方法,我当然希望第一次尝试正确,所以我不必完全重构服务。
Thanks in advance
提前致谢
1 个解决方案
#1
11
The following link appears to cover some sensible DIY options http://codebetter.com/johnvpetersen/2012/04/02/making-your-asp-net-web-apis-secure/. The "Tokens based on Public/Private Keys" section covers an approach I have used effectively in the past and would maybe be of assistance to you.
以下链接似乎涵盖了一些明智的DIY选项http://codebetter.com/johnvpetersen/2012/04/02/making-your-asp-net-web-apis-secure/。 “基于公钥/私钥的代币”部分介绍了我过去曾经有效使用的方法,可能对您有所帮助。
At the moment though I am using http://identityserver.codeplex.com/ the Thinktecture IdentityServer with OAuth bearer tokens ("Resource Owner Password Credential" grant type)... I am finding this a very good set of code and examples to work from and have IOS clients obtaining tokens and calling the WebApi.
目前虽然我正在使用http://identityserver.codeplex.com/带有OAuth承载令牌的Thinktecture IdentityServer(“资源所有者密码凭据”授权类型)...我发现这是一组非常好的代码和示例从IOS客户获取令牌并调用WebApi。
If you really must secure your registration screen you could maybe use client certificates installed on the devices to authenticate... again the Thinktecture service could help here https://identity.thinktecture.com/idsrv/docs/default.htm?RequestingatokenusingOAuth2.html. Although if you registration process is secure What are best practices for activation/registration/password-reset links in emails with nonce e.g. email confirmations and activations etc. it may be safe to leave publicly accessible - this all depends on your business requirements and desired sign up workflow.
如果你真的必须保护你的注册屏幕,你可以使用设备上安装的客户端证书进行身份验证......再次,Thinktecture服务可以在这里提供帮助https://identity.thinktecture.com/idsrv/docs/default.htm?RequestingatokenusingOAuth2。 HTML。虽然注册过程是安全的但是在使用nonce的电子邮件中激活/注册/密码重置链接的最佳做法是什么?电子邮件确认和激活等可以安全地公开访问 - 这完全取决于您的业务要求和所需的注册工作流程。
You should at least use Transport Level security SSL but as you suggest message level security e.g. encrypting any tokens is very advisable - the OAuth spec has something to say about this http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html#mitigation.
您至少应该使用传输级别安全SSL,但建议您使用邮件级安全性,例如加密任何令牌都是非常可取的 - OAuth规范对这个http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html#mitigation有所说明。
Regarding expiring tokens - we tend to expire our tokens with the same frequency as our password changing policy; although keeping the validity time down is important (to minimise impact of token theft) and a consideration to balance against your requirements. OAuth has the concept of refresh tokens Why Does OAuth v2 Have Both Access and Refresh Tokens? some debate and links around this topic here, we are not currently using this approach as the ID server we are using doesn't currently support this.
关于到期令牌 - 我们倾向于以与我们的密码更改策略相同的频率使我们的令牌到期;虽然保持有效时间是很重要的(以尽量减少令牌盗窃的影响),并考虑平衡您的要求。 OAuth具有刷新令牌的概念为什么OAuth v2同时具有访问权限和刷新令牌?关于这个主题的一些争论和链接,我们目前没有使用这种方法,因为我们使用的ID服务器目前不支持这一点。
Keeping your tokens safe is also a consideration e.g. we are using the KeyChain in IOS, but also think about Mobile Device Management policies if possible as if these tokens or passwords are one the device they could be stolen, perhaps look into jailbreak detection, lock screen enforcement etc.
保持您的令牌安全也是一个考虑因素,例如:我们正在使用IOS中的KeyChain,但如果可能的话,还要考虑移动设备管理策略,好像这些令牌或密码是他们可能被窃取的设备之一,可能会考虑越狱检测,锁屏执行等。
#1
11
The following link appears to cover some sensible DIY options http://codebetter.com/johnvpetersen/2012/04/02/making-your-asp-net-web-apis-secure/. The "Tokens based on Public/Private Keys" section covers an approach I have used effectively in the past and would maybe be of assistance to you.
以下链接似乎涵盖了一些明智的DIY选项http://codebetter.com/johnvpetersen/2012/04/02/making-your-asp-net-web-apis-secure/。 “基于公钥/私钥的代币”部分介绍了我过去曾经有效使用的方法,可能对您有所帮助。
At the moment though I am using http://identityserver.codeplex.com/ the Thinktecture IdentityServer with OAuth bearer tokens ("Resource Owner Password Credential" grant type)... I am finding this a very good set of code and examples to work from and have IOS clients obtaining tokens and calling the WebApi.
目前虽然我正在使用http://identityserver.codeplex.com/带有OAuth承载令牌的Thinktecture IdentityServer(“资源所有者密码凭据”授权类型)...我发现这是一组非常好的代码和示例从IOS客户获取令牌并调用WebApi。
If you really must secure your registration screen you could maybe use client certificates installed on the devices to authenticate... again the Thinktecture service could help here https://identity.thinktecture.com/idsrv/docs/default.htm?RequestingatokenusingOAuth2.html. Although if you registration process is secure What are best practices for activation/registration/password-reset links in emails with nonce e.g. email confirmations and activations etc. it may be safe to leave publicly accessible - this all depends on your business requirements and desired sign up workflow.
如果你真的必须保护你的注册屏幕,你可以使用设备上安装的客户端证书进行身份验证......再次,Thinktecture服务可以在这里提供帮助https://identity.thinktecture.com/idsrv/docs/default.htm?RequestingatokenusingOAuth2。 HTML。虽然注册过程是安全的但是在使用nonce的电子邮件中激活/注册/密码重置链接的最佳做法是什么?电子邮件确认和激活等可以安全地公开访问 - 这完全取决于您的业务要求和所需的注册工作流程。
You should at least use Transport Level security SSL but as you suggest message level security e.g. encrypting any tokens is very advisable - the OAuth spec has something to say about this http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html#mitigation.
您至少应该使用传输级别安全SSL,但建议您使用邮件级安全性,例如加密任何令牌都是非常可取的 - OAuth规范对这个http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html#mitigation有所说明。
Regarding expiring tokens - we tend to expire our tokens with the same frequency as our password changing policy; although keeping the validity time down is important (to minimise impact of token theft) and a consideration to balance against your requirements. OAuth has the concept of refresh tokens Why Does OAuth v2 Have Both Access and Refresh Tokens? some debate and links around this topic here, we are not currently using this approach as the ID server we are using doesn't currently support this.
关于到期令牌 - 我们倾向于以与我们的密码更改策略相同的频率使我们的令牌到期;虽然保持有效时间是很重要的(以尽量减少令牌盗窃的影响),并考虑平衡您的要求。 OAuth具有刷新令牌的概念为什么OAuth v2同时具有访问权限和刷新令牌?关于这个主题的一些争论和链接,我们目前没有使用这种方法,因为我们使用的ID服务器目前不支持这一点。
Keeping your tokens safe is also a consideration e.g. we are using the KeyChain in IOS, but also think about Mobile Device Management policies if possible as if these tokens or passwords are one the device they could be stolen, perhaps look into jailbreak detection, lock screen enforcement etc.
保持您的令牌安全也是一个考虑因素,例如:我们正在使用IOS中的KeyChain,但如果可能的话,还要考虑移动设备管理策略,好像这些令牌或密码是他们可能被窃取的设备之一,可能会考虑越狱检测,锁屏执行等。