I have a traditional ASP.NET app that I want to move to ASP.NET 5 (vNext). I am doing this as a learning exercise.
我有一个传统的ASP.NET应用程序,我想转移到ASP.NET 5(vNext)。我这样做是为了学习练习。
My current app uses Forms-based authentication. However, I would like to use OAuth. I was looking at the Security module and was curious what should be used for OAuth. I see an option for Microsoft.AspNet.Authentication.OAuth and Microsoft.AspNet.Authentication.OAuthBearer.
我当前的应用使用基于表单的身份验证。但是,我想使用OAuth。我正在查看安全模块,很好奇应该用于OAuth。我看到了Microsoft.AspNet.Authentication.OAuth和Microsoft.AspNet.Authentication.OAuthBearer的选项。
Which of these is used to let a user login?
以下哪个用于让用户登录?
Does anyone know of a sample/example showing these in action?
有没有人知道显示这些实际情况的样本/示例?
1 个解决方案
#1
12
Microsoft.AspNet.Authentication.OAuth
Microsoft.AspNet.Authentication.OAuth
- Allows 3rd party Identifiers (e.g. Google, Facebook) to authenticate users for you, saving your users the annoyance of registering.
- 允许第三方标识符(例如Google,Facebook)为您验证用户身份,从而为用户节省注册的烦恼。
- Allows other apps to use your application for Authentication
- 允许其他应用使用您的应用进行身份验证
Once your users are Authenticated by a 3rd party, the OWIN middle-ware reads their OAuth cookie and creates a domain specific Claims-based cookie. So long as the cookie is available (present, un-expired and uncorrupted) your users remain Authenticated.
一旦您的用户经过第三方认证,OWIN中间件就会读取他们的OAuth cookie并创建一个特定于域的特定于声明的cookie。只要cookie可用(存在,未过期且未损坏),您的用户将保持身份验证。
An introduction to the ASP.NET 5 Generic OAuth Provider
ASP.NET 5通用OAuth提供程序简介
Microsoft.AspNet.Authentication.OAuthBearer
Microsoft.AspNet.Authentication.OAuthBearer
Creates bearer tokens. When a user signs into an end point (Web-API), or is authenticated by a 3rd party, the OWIN middle-ware returns a bearer token. The bearer token is sent with all service requests to Identify your users in lieu of Cookies.
创建持票人代币。当用户登录终点(Web-API)或由第三方进行身份验证时,OWIN中间件返回承载令牌。持有者令牌随所有服务请求一起发送,以识别您的用户而不是Cookie。
In Startup
在初创公司
app.UseOAuthBearerAuthentication(options =>
{
options.Authority = "http://localhost:5000/oauth/";
options.Audience = "http://localhost:5000/oauth/resources";
options.TokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKeys = new[] { new X509SecurityKey(cert) },
ValidateLifetime = false,
};
options.AutomaticAuthentication = true;
options.SecurityTokenValidators = new[]
{
new JwtSecurityTokenHandler()
};
});
Bearer Tokens are used when creating SPA (Single Page Application) or for securing AJAX requests.
在创建SPA(单页应用程序)或保护AJAX请求时使用承载令牌。
Cookie Authentication is considered adequate for Server requests. But Service end points (whether or not they allow Cross Origin Resource Sharing) are more vulnerable to CSRF and XSS attacks.
Cookie身份验证被认为适用于服务器请求。但服务端点(无论它们是否允许跨源资源共享)更容易受到CSRF和XSS攻击。
Many Applications use both:
许多应用使用两者:
A common practice is to use cookie authentication for page requests and bearer tokens for AJAX requests.
通常的做法是对用于AJAX请求的页面请求和承载令牌使用cookie身份验证。
You would need to differentiate between resources that utilize cookies and resources that utilize Tokens.
您需要区分使用Cookie的资源和使用令牌的资源。
In this * answer, Matt DeKrey did a nice job of outlining his implementation utilizing
在这个*的答案中,Matt DeKrey在概述他的实现方面做得很好
[Authorize("Bearer")]
[授权( “载体”)]
For Controllers or Methods that should use bearer Tokens rather than the standard cookie based [Authorize] attribute.
对于应使用承载标记而非基于标准cookie的[授权]属性的控制器或方法。
Many Applications rely on Cookies alone:
许多应用程序仅依赖于Cookie:
How vulnerable is your application to CSRF attacks when relying on cookies? This is debatable. Many sites rely on cookies alone and never face issues. The answer may depend more on your traffic level and security needs.
在依赖cookie时,您的应用程序对CSRF攻击有多脆弱?这是值得商榷的。许多网站单独依赖cookie,从不面临问题。答案可能更多地取决于您的流量级别和安全需求。
If you are developing a site for tens of thousands of users, you are probably safe relying on cookies.
如果您正在为成千上万的用户开发网站,那么您可能会安全地依赖cookie。
If you are serving millions of users or protect important financial data, your asynchronous calls should rely on bearer tokens.
如果您为数百万用户提供服务或保护重要的财务数据,则异步调用应依赖于承载令牌。
Note: You mention using forms authentication, I would strongly recommend using Identity. The framework integrates with OWIN out of the box to give you both types of functionality.
注意:您提到使用表单身份验证,我强烈建议您使用身份。该框架与开箱即用的OWIN集成,为您提供两种类型的功能。
#1
12
Microsoft.AspNet.Authentication.OAuth
Microsoft.AspNet.Authentication.OAuth
- Allows 3rd party Identifiers (e.g. Google, Facebook) to authenticate users for you, saving your users the annoyance of registering.
- 允许第三方标识符(例如Google,Facebook)为您验证用户身份,从而为用户节省注册的烦恼。
- Allows other apps to use your application for Authentication
- 允许其他应用使用您的应用进行身份验证
Once your users are Authenticated by a 3rd party, the OWIN middle-ware reads their OAuth cookie and creates a domain specific Claims-based cookie. So long as the cookie is available (present, un-expired and uncorrupted) your users remain Authenticated.
一旦您的用户经过第三方认证,OWIN中间件就会读取他们的OAuth cookie并创建一个特定于域的特定于声明的cookie。只要cookie可用(存在,未过期且未损坏),您的用户将保持身份验证。
An introduction to the ASP.NET 5 Generic OAuth Provider
ASP.NET 5通用OAuth提供程序简介
Microsoft.AspNet.Authentication.OAuthBearer
Microsoft.AspNet.Authentication.OAuthBearer
Creates bearer tokens. When a user signs into an end point (Web-API), or is authenticated by a 3rd party, the OWIN middle-ware returns a bearer token. The bearer token is sent with all service requests to Identify your users in lieu of Cookies.
创建持票人代币。当用户登录终点(Web-API)或由第三方进行身份验证时,OWIN中间件返回承载令牌。持有者令牌随所有服务请求一起发送,以识别您的用户而不是Cookie。
In Startup
在初创公司
app.UseOAuthBearerAuthentication(options =>
{
options.Authority = "http://localhost:5000/oauth/";
options.Audience = "http://localhost:5000/oauth/resources";
options.TokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKeys = new[] { new X509SecurityKey(cert) },
ValidateLifetime = false,
};
options.AutomaticAuthentication = true;
options.SecurityTokenValidators = new[]
{
new JwtSecurityTokenHandler()
};
});
Bearer Tokens are used when creating SPA (Single Page Application) or for securing AJAX requests.
在创建SPA(单页应用程序)或保护AJAX请求时使用承载令牌。
Cookie Authentication is considered adequate for Server requests. But Service end points (whether or not they allow Cross Origin Resource Sharing) are more vulnerable to CSRF and XSS attacks.
Cookie身份验证被认为适用于服务器请求。但服务端点(无论它们是否允许跨源资源共享)更容易受到CSRF和XSS攻击。
Many Applications use both:
许多应用使用两者:
A common practice is to use cookie authentication for page requests and bearer tokens for AJAX requests.
通常的做法是对用于AJAX请求的页面请求和承载令牌使用cookie身份验证。
You would need to differentiate between resources that utilize cookies and resources that utilize Tokens.
您需要区分使用Cookie的资源和使用令牌的资源。
In this * answer, Matt DeKrey did a nice job of outlining his implementation utilizing
在这个*的答案中,Matt DeKrey在概述他的实现方面做得很好
[Authorize("Bearer")]
[授权( “载体”)]
For Controllers or Methods that should use bearer Tokens rather than the standard cookie based [Authorize] attribute.
对于应使用承载标记而非基于标准cookie的[授权]属性的控制器或方法。
Many Applications rely on Cookies alone:
许多应用程序仅依赖于Cookie:
How vulnerable is your application to CSRF attacks when relying on cookies? This is debatable. Many sites rely on cookies alone and never face issues. The answer may depend more on your traffic level and security needs.
在依赖cookie时,您的应用程序对CSRF攻击有多脆弱?这是值得商榷的。许多网站单独依赖cookie,从不面临问题。答案可能更多地取决于您的流量级别和安全需求。
If you are developing a site for tens of thousands of users, you are probably safe relying on cookies.
如果您正在为成千上万的用户开发网站,那么您可能会安全地依赖cookie。
If you are serving millions of users or protect important financial data, your asynchronous calls should rely on bearer tokens.
如果您为数百万用户提供服务或保护重要的财务数据,则异步调用应依赖于承载令牌。
Note: You mention using forms authentication, I would strongly recommend using Identity. The framework integrates with OWIN out of the box to give you both types of functionality.
注意:您提到使用表单身份验证,我强烈建议您使用身份。该框架与开箱即用的OWIN集成,为您提供两种类型的功能。