ASP.NET Web API Authorization using Tokens
Planning real world REST API
http://blog.developers.ba/post/2012/03/03/ASPNET-Web-API-Authorization-using-Tokens.aspx
When you try to plan how to build real world REST API like other major players like Facebook or Foursquare have you will soon realize that all major players use OAuth 2.0 .
ASP.NET Web API comes with support for authorize attribute and that’s nice, but for real world API I want to support token based approach.
OAuth 2.0 Server
For supporting token based approach you must have some kind of server that will issue tokens. Building token server can be complex and most major players have implemented OAuth 2.0 server based on draft 10 OAuth documentation.
We hope that Microsoft will provide us with their own OAuth 2.0 server for free in final version of ASP.NET MVC 4.
Meanwhile I will just assume that you already have your own OAuth 2.0 server.
Building ActionFilterAttribute
I have solved my problem with authorization by implementing RequireAuthorize ActionFilterAttribute. This attribute also have scope property. Scope property is used for limiting access to your REST API.
You just need to decorate controllers or actions in controllers with this attribute and optionally set required scope for accessing these actions.
Here is RequireAuthorizeAtribute:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
public class RequireAuthorization : ActionFilterAttribute { public string Scope { get ; set ; } public override void OnActionExecuting(System.Web.Http.Controllers.HttpActionContext actionContext) { string [] scope = null ; if (! string .IsNullOrEmpty(Scope)) { scope = Scope.Split( new [] { "," }, StringSplitOptions.RemoveEmptyEntries); } string query = actionContext.Request.RequestUri.Query; string accessToken = HttpUtility.ParseQueryString(query).Get( "accessToken" ); // we first check for valid token if (accessToken != null ) { IAccessTokenValidator accessTokenValidator = new AccessTokenValidator(); bool validToken = accessTokenValidator.ValidateToken(accessToken, scope); if (!validToken) { var response = new HttpResponseMessage { Content = new StringContent( "This token is not valid, please refresh token or obtain valid token!" ), StatusCode = HttpStatusCode.Unauthorized }; throw new HttpResponseException(response); } } else { var response = new HttpResponseMessage { Content = new StringContent( "You must supply valid token to access method!" ), StatusCode = HttpStatusCode.Unauthorized }; throw new HttpResponseException(response); } base .OnActionExecuting(actionContext); } } |
And here is AccessTokenValidator class:
1
2
3
4
5
6
7
8
9
10
11
12
|
public class AccessTokenValidator : IAccessTokenValidator { public bool ValidateToken( string token, string [] scope) { // replace this logic with dataBase access to table with tokens if (token != "someToken" ) { return false ; } return true ; } } |
ASP.NET Web API Authorization using Tokens的更多相关文章
- Implement JSON Web Tokens Authentication in ASP.NET Web API and Identity 2.1 Part 3 (by TAISEER)
http://bitoftech.net/2015/02/16/implement-oauth-json-web-tokens-authentication-in-asp-net-web-api-an ...
- Authentication and Authorization in ASP.NET Web API
You've created a web API, but now you want to control access to it. In this series of articles, we ...
- ASP.NET Web API Claims Authorization with ASP.NET Identity 2.1 Part 5 (by TAISEER)
https://www.cnblogs.com/KimmyLee/p/6430474.html https://www.cnblogs.com/rocketRobin/p/9077523.html h ...
- 购物车Demo,前端使用AngularJS,后端使用ASP.NET Web API(3)--Idetity,OWIN前后端验证
原文:购物车Demo,前端使用AngularJS,后端使用ASP.NET Web API(3)--Idetity,OWIN前后端验证 chsakell分享了前端使用AngularJS,后端使用ASP. ...
- [转] JSON Web Token in ASP.NET Web API 2 using Owin
本文转自:http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/ ...
- JSON Web Token in ASP.NET Web API 2 using Owin
In the previous post Decouple OWIN Authorization Server from Resource Server we saw how we can separ ...
- 对一个前端使用AngularJS后端使用ASP.NET Web API项目的理解(2)
chsakell分享了一个前端使用AngularJS,后端使用ASP.NET Web API的项目. 源码: https://github.com/chsakell/spa-webapi-angula ...
- ASP.NET Web API 2 external logins with Facebook and Google in AngularJS app
转载:http://bitoftech.net/2014/08/11/asp-net-web-api-2-external-logins-social-logins-facebook-google-a ...
- 在ASP.NET Web API 2中使用Owin OAuth 刷新令牌(示例代码)
在上篇文章介绍了Web Api中使用令牌进行授权的后端实现方法,基于WebApi2和OWIN OAuth实现了获取access token,使用token访问需授权的资源信息.本文将介绍在Web Ap ...
随机推荐
- OpenSSL win 下报错 OPENSSL_Uplink(58D46000,08): no OPENSSL_Applink
python 中使用 M2Crypto 想读写文件时总是报: OPENSSL_Uplink(58D46000,08): no OPENSSL_Applink windows 平台下使用 openssl ...
- hibernate 非xml实体类配置方法!
hibernate 非xml实体类配置方法! 这个是hibernate.cfg.xml配置文件 <?xml version='1.0' encoding='UTF-8'?> <!DO ...
- Android的数据存储方式(转)
数据存储在开发中是使用最频繁的,在这里主要介绍Android平台中实现数据存储的5种方式,分别是: 1 使用SharedPreferences存储数据 2 文件存储数据 3 SQLite数据库存储数据 ...
- hdu 1300 Pearls(dp)
Pearls Time Limit: 2000/1000 MS (Java/Others) Memory Limit: 65536/32768 K (Java/Others) Total Sub ...
- .NET领域驱动设计—初尝(三:穿过迷雾走向光明)
开篇介绍 在开始这篇富有某种奇妙感觉的文章之旅时我们先短暂的讨论一下关于软件开发方法论的简要: 纵观软件开发方法论,从瀑布模型.螺旋模型.RUP(统一软件开发过程).XP(极限编程).Agile(敏捷 ...
- MODULE_AUTHOR、MODULE_DESCRIPTION、MODULE_LICENSE宏
在阅读Linux Driver源码时,我们常常会在文件的结尾处看到诸如:MODULE_AUTHOR.MODULE_DESCRIPTION.MODULE_LICENSE等宏定义,这些宏主要是定义了一些模 ...
- 依赖注入及AOP简述(十)——Web开发中常用Scope简介 .
1.2. Web开发中常用Scope简介 这里主要介绍基于Servlet的Web开发中常用的Scope. l 第一个比较常用的就是Application级Scope,通常我们会将一 ...
- Oracle日志文件常用操作
Oracle关于日志文件基本操作1.查询系统使用的是哪一组日志文件:select * from v$log; 2.查询正在使用的组所对应的日志文件:select * from v$logfile; 3 ...
- 【最大流】【HDU2883】【kebab】
题意: 有一个烧烤机,每次最多能烤 m 块肉,现在有 n 个人来买烤肉,每个人到达时间为 si,离开时间为 ei,点的烤肉数量为 ci,点的烤肉所需烘烤时间为 di, 每个人要烤的肉可以分成若干份在同 ...
- hibernate 之 HQL语句总结【转】
1. 查询整个映射对象所有字段 //直接from查询出来的是一个映射对象,即:查询整个映射对象所有字段 String hql = "from Users"; Query query ...