5

I'm using

  • New browser only clients on the same domain
  • Identity 2.0
  • WebAPI 2.1
  • Owin 2.1
  • AngularJS front-end for registration, login and data display

In a WebAPI application with an AngularJS front-end.

I'm reading about token authentication but I am very confused now and I cannot find any good examples out there that use my combination. What I would like to know is should I be using cookies or tokens for the authentication. Should I be using a Userfactory or the CreatePerOwinContext?

Here's what I have in my Startup.Auth.cs

public partial class Startup {

        public void ConfigureAuth(IAppBuilder app) {

            app.CreatePerOwinContext(ApplicationDbContext.Create);
            app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
            app.CreatePerOwinContext<ApplicationRoleManager>(ApplicationRoleManager.Create);
            app.UseCookieAuthentication(new CookieAuthenticationOptions {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/"),
                Provider = new CookieAuthenticationProvider {
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                        validateInterval: TimeSpan.FromMinutes(30),
                        regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
                }
            });
            app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
            app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));

            // Enables the application to remember the second login verification factor such as phone or email.
            // Once you check this option, your second step of verification during the login process will be remembered on the device where you logged in from.
            // This is similar to the RememberMe option when you log in.
            app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);
        }
    }

Here's my WebAPI config:

public static class WebApiConfig
{
    public static void CustomizeConfig(HttpConfiguration config)
    {
        config.Formatters.Remove(config.Formatters.XmlFormatter);
        var json = config.Formatters.JsonFormatter;
        json.SerializerSettings.ContractResolver = new CamelCasePropertyNamesContractResolver();
        json.SerializerSettings.ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore;
        json.SerializerSettings.Converters.Add(new IsoDateTimeConverter { DateTimeFormat = "yyyy-MM-ddTHH:mmZ" });
    }

I saw some examples using this code but I am not sure how I can call this:

OAuthOptions = new OAuthAuthorizationServerOptions
{
    TokenEndpointPath = new PathString("/Token"),
    Provider = new ApplicationOAuthProvider(PublicClientId, UserManagerFactory),
    AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
    AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
    AllowInsecureHttp = true
};

Could I just replace the cookie authentication with this?

4

1 回答 1

2

不是专家,但在我的涉猎中,我发现令牌非常适合 api 以及从 javascript 到 api,而传统的 cookie 主要用于 ui。根据您的尝试,其中一个或两个都将起作用。

您可以按照此链接为 ui 执行 cookie 并为 api 执行令牌 http://blog.iteedee.com/2014/03/asp-net-identity-2-0-cookie-token-authentication/

  app.CreatePerOwinContext(ApplicationSession.Create);
        app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);

        // Token Authentication
        app.UseOAuthBearerAuthentication(new OAuthBearerOptions());

我认为你可以将 cookie 身份验证选项身份验证类型设置为不记名,如果你想要两者都持有,但你必须使用它。令牌将位于“.AspNet.ExternalBearer”下的 owincontext 中。

我还认为,如果您注册 Identity 2.0 中间件,我认为它还会注册 oauth 中间件,因此您无需自己注册 oauthserver 中间件。那就是您发布的 OAuthAuthorizationServerOptions 代码。你不需要它。

如果 ui 和 api 是分开的,那么如果你想从 ui 传递到 api 进行某种单点登录,那就有点困难了。我建议查看thinktecture的开源身份服务器或授权服务器。

如果您在 owin 中间件和 Identity 2.0 上设置,则需要确保应用程序和 api 都可以读取令牌,并且您可能需要实现 ISecureDataFormat。但请记住,解密并不意味着您可以 100% 信任令牌,它应该经过签名和验证。取决于你的需要。

抱歉,我想这是一个漫长的漫游......祝你好运。

于 2014-05-01T16:23:45.820 回答