來自客戶端的web api認證

Question

我有一個www.api.com和一個www.client.com 所有註冊都將在api.com完成，登錄將在api.com完成。 client.com只能看到登錄表單的用戶界面。

用戶登錄後，api.com將令牌返回給用戶。如何使用令牌訪問api.com中其餘的webapi？我想訪問GetExployeeByID方法。使用後登錄。我保存在該單詞在sessionStorage.setItem('token', data.access_token)

API方法

[RoutePrefix("api/Customer")] 
public class CustomerController : ApiController 
{ 
    List<customer> list = new List<customer>() { new customer {id=1 ,customerName="Marry",age=13}, 
     new customer { id = 2, customerName = "John", age = 24 } }; 

    [Route("GetExployeeByID/{id:long}")] 
    [HttpGet] 
    [Authorize] 
    public customer GetExployeeByID(long id) 
    {  
     return list.FirstOrDefault(x=>x.id==id); 
    } 

} 

更新1 這是我的AJAX後調用API登錄後

function lgetemp() { 
    $.ajax({ 
     url: 'http://www.azapi.com:81/api/customer/GetExployeeByID/1', 
     datatype:"json", 
     type: 'get', 
     headers: { 
      "access_token":sessionStorage.getItem("token") 
     }, 
     crossDomain: true, 
     success: function (data) { 
      debugger 
      alert(data.customerName) 
     }, 
     error: function (err) { 
      debugger 
      alert('error') 
     } 

    }) 
} 

Answer 1

您應該通過令牌在從客戶端到api的請求的頭部中

Authorization Basic yJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY= 

從API可以查詢標題並取出令牌。

string authorizationHeader = HttpContext.Current.Request.Headers["Authorization"]; 
string toke = authorizationHeader.Replace("Bearer ", String.Empty); 

我已經在我的最新項目做什麼是有一個類AuthToken，做了很多這對我來說

public class AuthToken : IAuthToken 
{ 
    private string _raw; 
    private IDictionary<string, string> _deserialized; 

    public string Raw 
    { 
     get 
     { 
      if (String.IsNullOrWhiteSpace(_raw)) 
      { 
       string authorizationHeader = HttpContext.Current.Request.Headers["Authorization"]; 
       _raw = authorizationHeader.Replace("Bearer ", String.Empty); 
      } 
      return _raw; 
     } 
    } 

    public IDictionary<string, string> Deserialized 
    { 
     get 
     { 
      if (_deserialized == null) 
      { 
       string[] tokenSplit = Raw.Split('.'); 
       string payload = tokenSplit[1]; 
       byte[] payloadBytes = Convert.FromBase64String(payload); 
       string payloadDecoded = Encoding.UTF8.GetString(payloadBytes); 
       _deserialized = JsonConvert.DeserializeObject<IDictionary<string, string>>(payloadDecoded); 
      } 
      return _deserialized; 
     } 
    } 
} 

然後我注入的是爲UserContext類，我可以注入我的控制器等。用戶上下文然後可以根據需要從令牌中提取聲明。 （假設它是JWT）

public class UserContext : IUserContext 
{ 
    private IList<Claim> _claims; 
    private string _identifier; 
    private string _email; 
    private string _clientId; 

    public IAuthToken Token { get; } 

    public IList<Claim> Claims 
    { 
     get 
     { 
      return _claims ?? (_claims = Token.Deserialized.Select(self => new Claim(self.Key, self.Value)).ToList()); 
     } 
    } 

    public string Identifier => _identifier ?? (_identifier = Token.Deserialized.ContainsKey("sub") ? Token.Deserialized["sub"] : null); 

    public string Email => _email ?? (_email = Token.Deserialized.ContainsKey(ClaimTypes.Email) ? Token.Deserialized[ClaimTypes.Email] : null); 

    public UserContext(IAuthToken authToken) 
    { 
     Token = authToken; 
    } 
} 

Answer 2

您需要將令牌傳遞給請求標頭並調用API url。通過傳遞您擁有的URL和令牌可以調用以下函數。

static string CallApi(string url, string token) 
{ 
    ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true; 
    using (var client = new HttpClient()) 
    { 
     if (!string.IsNullOrWhiteSpace(token)) 
     { 
      var t = JsonConvert.DeserializeObject<Token>(token); 

      client.DefaultRequestHeaders.Clear(); 
      client.DefaultRequestHeaders.Add("Authorization", "Bearer " + t.access_token); 
     } 
     var response = client.GetAsync(url).Result; 
     return response.Content.ReadAsStringAsync().Result; 
    } 
} 

請參閱 - Token based authentication in Web API的詳細說明。