我正在创建一个使用HTTPS的安全的基于Web的API; 但是,如果我允许用户使用查询字符串配置它(包括发送密码)这也是安全的,还是应该通过POST强制它?
public class SimpleAuthorizationServerProvider : OAuthAuthorizationServerProvider
{
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
bool isvalidUser = AuthenticateUser(context.UserName, context.Password);// validate my user&password
if (!isvalidUser)
{
context.Rejected();
return;
}
// create identity
var id = new ClaimsIdentity(context.Options.AuthenticationType);
id.AddClaim(new Claim("sub", context.UserName));
id.AddClaim(new Claim("role", "user"));
// create metadata to pass on to refresh token provider
var props = new AuthenticationProperties(new Dictionary<string, string>
{
{ "as:client_id", context.ClientId }
});
var ticket = new AuthenticationTicket(id, props);
context.Validated(ticket);
}
}
Login time I'm using this SimpleAuthorizationServerProvider(in Web …
我有一个 HTML 5 视频标签指向我的 ASP.NET WebAPI,它需要承载身份验证,我对 API 的大多数请求如下所示:
GET http://localhost:29080/api/v1/users/me HTTP/1.1
Host: localhost:29080
Connection: keep-alive
Accept: application/json, text/plain, */*
Origin: http://localhost:4200
Authorization: Bearer c66b36fe-fcc1-49da-9b42-dac783768a06
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Referer: http://localhost:4200/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,fr;q=0.8
由于应用程序托管在不同的端口(最终是不同的地址)上,因此它受到 CORS 的约束。我已经将我的 WebAPI 设置为兼容的:
config.EnableCors(new EnableCorsAttribute("*", "*", "*"));
遗憾的是,我的 HTML 5 视频标签似乎无法使用该设置。
<video
crossorigin="use-credentials"
src="http://localhost:29080/api/v1/entities/470/presentation-video">
我最终得到:
Failed to load http://localhost:29080/api/v1/entities/470/presentation-video:
The value of the 'Access-Control-Allow-Origin' header in the response must
not be the wildcard …access-token ×1
angular ×1
c# ×1
cors ×1
https ×1
javascript ×1
oauth-2.0 ×1
query-string ×1
ssl ×1