Active Directory 帐户的 Oauth 2 令牌

Oauth 2 token for Active Directory accounts(Active Directory 帐户的 Oauth 2 令牌)
本文介绍了Active Directory 帐户的 Oauth 2 令牌的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

问题描述

我过去曾使用 Owin 在我的 Mvc Web Api 项目中创建令牌端点,以提供带有资源所有者密码凭据"授权类型,其中访问令牌提供者将检查数据库用户表以验证移动客户端(使用 Visual Studio 工具为 Cordova 开发的多平台应用程序)提供的凭据的有效性.

I have used Owin in the past to create a token endpoint in my Mvc Web Api projects to provide oauth 2.0 tokens with "Resource Owner Password Credentials" grant type where access token provider would check a database user table to verify the validity of the credentials supplied by the mobile client (multiplatform App developed with Visual studio tool for Cordova).

在此项目中,Web Api 将由 Active Directory Windows 域帐户使用的多平台移动应用程序使用

In this project, the Web Api will be consumed by a multiplatform Mobile app used by Active Directory Windows domain accounts

我想使用 Owin Oauth 2.0 向这些用户授予访问令牌,但我不知道如何检查这些凭据的有效性.

I would like to use Owin Oauth 2.0 to grant an Access Token to these users but I don't know how to check the validity of these credentials.

我的想法是将 /token 端点放在 basic authentication" 后面,并在访问令牌提供程序的代码中从身份获取用户,如果是经过身份验证的使用,应该由Asp.net管道自动创建.

What I was thinking is to put the /token endpoint behind "basic authentication" and in the code of the Access Token Provider get the user from the Identity that, in case of authenticated used, should be automatically created by the Asp.net pipeline.

有什么可行的方法吗?

您知道将 Oauth 2.0 用于 AD Windows 帐户的更好主意吗?

Do you know any better idea to use Oauth 2.0 for AD Windows Accounts?

注意:

我也在调查 Active Directory 是否能够自己提供 Oauth 2.0 端点.

I'm also investigating if Active Directory is able to provide an Oauth 2.0 endpoint by itself.

推荐答案

这里有一个很好的演练,介绍了如何使用 Active Directory 联合服务来获取 OAuth2 令牌.https://technet.microsoft.com/en-us/library/dn633593.aspx.您必须点击底部的所有链接才能获得完整的演练.

Here is a pretty good walkthrough of how to use Active Directory Federation Services to obtain an OAuth2 token. https://technet.microsoft.com/en-us/library/dn633593.aspx. You'll have to follow all the links at the bottom to get the entire walkthrough.

请注意,它指的是使用 适用于 .NET 的 Windows Azure AD 身份验证库.但根据该文档,该库同时用于 Azure Active Directory 和本地 Active Directory.

Note that it refers to using Windows Azure AD Authentication Library for .NET. But according to that documentation, that library is used for both Azure Active Directory and on premises Active Directory.

至于工作流程,一旦通过身份验证,您将能够获得一个不记名令牌并将其呈现给您的 WebAPI.然后,您的 WebAPI 会验证令牌的签名以确保它是由 AD FS 颁发的,检查令牌是否仍然有效且尚未过期,并且可能还会验证令牌中的其他声明.此时,客户端要么被授权,他们请求的信息在响应中发送,要么他们未经授权,不会发送任何数据."- https://technet.microsoft.com/en-us/library/dn633593.aspx

As for the workflow, once authenticated you'll be able to obtain and present a bearer token to your WebAPI. Your WebAPI then "validates the signature of the token to ensure it was issued by AD FS, checks to see if the token is still valid and hasn’t expired and may possibly also validate other claims in the token. At this point, the client is either authorized and the information they requested is sent in the response or they are unauthorized and no data will be sent." - https://technet.microsoft.com/en-us/library/dn633593.aspx

这篇关于Active Directory 帐户的 Oauth 2 令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

本站部分内容来源互联网,如果有图片或者内容侵犯您的权益请联系我们删除!

相关文档推荐

What#39;s the difference between retrieving WindowsPrincipal from WindowsIdentity and Thread.CurrentPrincipal?(从 WindowsIdentity 和 Thread.CurrentPrincipal 检索 WindowsPrincipal 之间有什么区别?)
How do I find a user#39;s Active Directory display name in a C# web application?(如何在 C# Web 应用程序中查找用户的 Active Directory 显示名称?)
How to use Servicestack Authentication with Active Directory/Windows Authentication?(如何在 Active Directory/Windows 身份验证中使用 Servicestack 身份验证?)
How can I authenticate against Active Directory in Nancy?(如何在 Nancy 中对 Active Directory 进行身份验证?)
How to get a username in Active Directory from a display name in C#?(如何从 C# 中的显示名称获取 Active Directory 中的用户名?)
Working with DirectoryServices in ASP.NET Core(在 ASP.NET Core 中使用 DirectoryServices)