ADFS 2.0 Windows 2008 R2 Web API
Pet*_*hai 9 asp.net-mvc adfs windows-server-2008-r2 single-sign-on asp.net-web-api
我想创建一个与Web API应用程序对话的MVC Web应用程序,并使用ADFS 2.0(在Windows 2008 R2上)进行身份验证.
我设法使用ADFS使MVC Web应用程序进行身份验证.
问:但我不知道如何将我的ADFS 2.0(在Windows 2008 R2上)从MVC Web联合到Web API(假设它们将部署在不同的服务器中)?
我发现了很多关于如何使用WCF或Windows Server 2012 R2执行此操作的文章,但没有找到有关Windows Server 2008 R2中的Web API和ADFS 2.0的文章
编辑,最后我去了穷人代表团(将我收到的相同令牌传递给后端的前端(因为再次调用adfs是没有意义的)
FrontEnd - >调用GetToken并输入授权标头(我将其编码为base64)
public string GetToken()
{
BootstrapContext bootstrapContext = ClaimsPrincipal.Current.Identities.First().BootstrapContext as BootstrapContext;
string token = bootstrapContext.Token;
if (string.IsNullOrEmpty(token))
token = ToTokenXmlString(bootstrapContext.SecurityToken as SamlSecurityToken);
return token;
}
string ToTokenXmlString(SecurityToken token)
{
var genericToken = token as GenericXmlSecurityToken;
if (genericToken != null)
return genericToken.TokenXml.OuterXml;
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
return ToTokenXmlString(token, handler);
}
string ToTokenXmlString(SecurityToken token, SecurityTokenHandlerCollection handler)
{
if (!handler.CanWriteToken(token))
throw new InvalidOperationException("Token type not suppoted");
var sb = new StringBuilder(128);
using (StringWriter stringWriter = new StringWriter(sb))
{
using (var textWriter = new XmlTextWriter(stringWriter))
{
handler.WriteToken(textWriter, token);
return sb.ToString();
}
}
}
后端 - >解析并验证令牌 - >
public ClaimsIdentity GetIdentityFromToken(string tokenBase64)
{
if (string.IsNullOrEmpty(tokenBase64))
return null;
byte[] tokenByteArray = Convert.FromBase64String(tokenBase64);
string decodedToken = Encoding.UTF8.GetString(tokenByteArray);
if (string.IsNullOrWhiteSpace(decodedToken))
return null;
try
{
var handlers = FederatedAuthentication.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers;
SecurityToken token;
using (StringReader stringReader = new StringReader(decodedToken))
{
using (XmlTextReader xmlReader = new XmlTextReader(stringReader))
{
token = handlers.ReadToken(xmlReader);
}
}
if (token == null)
return null;
return handlers.ValidateToken(token).FirstOrDefault();
}
catch (Exception e)
{
logger.Error(new AuthenticationException("Error validating the token from ADFS", e));
return null;
}
}
我通过将从 Adfs 收到的不记名令牌传递到 Web api 调用的授权标头中来实现此目的,然后在 owin 启动期间使用 Microsoft.Owin.Security.Jwt nuget 包将令牌转换为 httpcontext 当前身份网络 API 项目。
此示例使用 jwt 令牌作为不记名令牌。为要使用的令牌类型选择正确的 NuGet 包。
在mvc控制器中构造WebRequest
BootstrapContext bc = ClaimsPrincipal.Current.Identities.First().BootstrapContext as BootstrapContext;
HttpWebRequest request = WebRequest.Create(ConfigurationManager.AppSettings["ApiUrl"]) as HttpWebRequest;
request.Method = "GET";
request.Headers["Authorization"] = "Bearer " + bc.Token;
Web api 中的 Owin Startup.cs 文件在 app.UseWebApi(config) 行之前。
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { ConfigurationSettings.AppSettings["ida:Realm"] },
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(
ConfigurationSettings.AppSettings["ida:ValidIssuer"],
ConfigurationSettings.AppSettings["ida:SymmetricKey"])
},
Provider = new OAuthBearerAuthenticationProvider
{
OnValidateIdentity = context =>
{
return System.Threading.Tasks.Task.FromResult<object>(null);
}
}
});
| 归档时间: |
|
| 查看次数: |
1622 次 |
| 最近记录: |