0

Correct me if I'm not understanding something. I'm working with a fresh Web API application generated from a VS template.

  • The user does register right on the login page of the Web API app.
  • It appears that a user can register from outside the Web API app (from ANY device that knows the api/Accounts URL), but it requires passing sensitive information in plain text.
  • The sample ValuesController has the [Authorize].
  • Accessing /api/Values from the browser will throw a 401 if the user is not logged in.
  • Accessing /api/Values from Fiddler will also throw a 401 even if the user is logged in. This is because it requires an Authorize: Bearer header, which the access token isn't available from outside the web application.
  • There is a token endpoint that we can use to request a token from outside the app, but using the built-in token endpoint requires the user's username and password as plain text to be sent.

I guess all the work needs to be done from an external trusted client application (which must have access to the same database that stores user info). From the client application, how would I create an access token so that I can make a request that would have that access token in the header?

Suppose that I was able to achieve generating an acceptable access token from the client. Will the [Authorize] attribute still block access because the user would technically not be logged in? Or does [Authorize] actually log the user in if it doesn't result in a 401?

4

2 回答 2

1

当current 的属性为 falseAuthorizeAttribute时将阻止访问。这与访问令牌完全分开。IsAuthenticatedIIdentity

于 2014-04-03T16:10:57.027 回答
0

你的步骤没问题。但我认为您将您对最后一部分的理解与 cookie 身份验证和令牌身份验证混为一谈。

[Authorize] 属性是否仍会因为用户在技术上未登录而阻止访问?或者如果没有导致 401,[Authorize] 是否真的让用户登录?

对于 cookie 身份验证,这将是一个问题,即用户在技术上需要登录并且服务器上需要存在有效会话。

但是,对于令牌身份验证,情况并非如此。只要您拥有有效的不记名令牌,您就可以从任何设备访问该 API。

于 2015-12-19T08:08:41.433 回答