Question

因此，我对新的OWIN框架的复杂性并不是非常强大，并且存在以下问题：

我有一个SPA Web应用程序（最新的MVC，AngularJs），最新的OWIN，Identity框架连接到RavenDB用户存储（使用Brock的提供商）..

需要：在SPA网站上通过用户名/密码或通过Twitter / Fb / LiveId登录用户，并让该操作以安全的方式验证从浏览器进行的未来Web API调用。在身份验证期间，我需要将大量声明传递给Web API，以便它不仅知道用户是谁，还知道他/她的权限。此外，需要使用API密钥将Web API称为API（我认为这部分是这部分）。

这样做的正确方法是什么？我也计划在未来将移动应用程序连接到Web API。读过很多文章，我的头已经旋转了。

问题：我认为使用cookie身份验证模式会为我做这件事。我已经为Visual Studio调试模式设置了工作，并认为我很好。但是，当我部署到Azure时，我开始从API调用获得401 Unauthorized。 SPA网站和API都在相同的根域下运行，但子域不同。从Visual Studio本地测试时，我没有使用任何cookie域设置。我在Azure中使用根域for cookies。

这是我的SPA的MVC应用程序ConfigAuth：

public void ConfigureAuth(IAppBuilder app)
{
    var decryptor = new SettingsEncryption();

    // Enable the application to use a cookie to store information for the signed in user
    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
        LoginPath = new PathString("/Account/Login"),
        LogoutPath = new PathString("/Account/Logout"),
        CookieDomain = CloudConfigurationManager.GetSetting("AuthCookieDomain"),
        CookieSecure = CookieSecureOption.Always,
        //CookiePath = "/",
        CookieHttpOnly = true,
        ExpireTimeSpan = TimeSpan.FromDays(365),
        SlidingExpiration = true,
    });

    // Use a cookie to temporarily store information about a user logging in with a third party login provider
    app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

    app.UseMicrosoftAccountAuthentication(
        clientId: decryptor.Decrypt(CloudConfigurationManager.GetSetting("LiveIdOAuthAppId")),
        clientSecret: decryptor.Decrypt(CloudConfigurationManager.GetSetting("LiveIdOAuthSecretKey")));

    app.UseTwitterAuthentication(
       consumerKey: decryptor.Decrypt(CloudConfigurationManager.GetSetting("TwitterOAuthAppId")),
       consumerSecret: decryptor.Decrypt(CloudConfigurationManager.GetSetting("TwitterOAuthSecretKey")));

    app.UseFacebookAuthentication(
       appId: decryptor.Decrypt(CloudConfigurationManager.GetSetting("FacebookOAuthAppId")),
       appSecret: decryptor.Decrypt(CloudConfigurationManager.GetSetting("FacebookOAuthSecretKey")));

    app.UseGoogleAuthentication(
        clientId: decryptor.Decrypt(CloudConfigurationManager.GetSetting("GoogleOAuthAppId")),
        clientSecret: decryptor.Decrypt(CloudConfigurationManager.GetSetting("GoogleOAuthSecretKey")));
}

这是我的Web API ConfigAuth：

    app.SetDefaultSignInAsAuthenticationType(DefaultAuthenticationTypes.ExternalCookie);

    // Enable the application to use a cookie to store information for the signed in user
    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
        CookieDomain = CloudConfigurationManager.GetSetting("AuthCookieDomain"),
        CookieSecure = CookieSecureOption.Always,
        //CookiePath = "/",
        CookieHttpOnly = true,
        ExpireTimeSpan = TimeSpan.FromDays(365),
        SlidingExpiration = true,
        Provider = new CookieAuthenticationProvider
        {
            OnApplyRedirect = ApplyRedirect
        },

    });

    //app.UseExternalSignInCookie(DefaultAuthenticationTypes.ApplicationCookie);

    // Uncomment the following lines to enable logging in with third party login providers
    app.UseMicrosoftAccountAuthentication(
        clientId: decryptor.Decrypt(CloudConfigurationManager.GetSetting("LiveIdOAuthAppId")),
        clientSecret: decryptor.Decrypt(CloudConfigurationManager.GetSetting("LiveIdOAuthSecretKey")));

    app.UseTwitterAuthentication(
        consumerKey: decryptor.Decrypt(CloudConfigurationManager.GetSetting("TwitterOAuthAppId")),
        consumerSecret: decryptor.Decrypt(CloudConfigurationManager.GetSetting("TwitterOAuthSecretKey")));

    app.UseFacebookAuthentication(
        appId: decryptor.Decrypt(CloudConfigurationManager.GetSetting("FacebookOAuthAppId")),
        appSecret: decryptor.Decrypt(CloudConfigurationManager.GetSetting("FacebookOAuthSecretKey")));

    app.UseGoogleAuthentication(
        clientId: decryptor.Decrypt(CloudConfigurationManager.GetSetting("GoogleOAuthAppId")),
        clientSecret: decryptor.Decrypt(CloudConfigurationManager.GetSetting("GoogleOAuthSecretKey")));

    var config = GlobalConfiguration.Configuration;
        config.EnableCors(new EnableCorsAttribute("*", "*", "*"));

此外，已在Web API上启用全局处理程序以对每次调用进行身份验证。（继承自DelegatingHandler，检查Header是否存在API Key，否则调用AssertAuth（））

Answer 1

我已经编写了一个涵盖你想要实现的场景的教程，该教程是无cookie的，它只取决于你想建立SPA的正确方式的持票人令牌，你可以检查一系列的帖子这里http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/

从SPA MVC应用程序验证Web API的正确方法？

1 个答案: