Secure a Web API with Individual Accounts and Local Login in ASP.NET Web API 2.2

https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/individual-accounts-in-web-api

In Visual Studio 2013, the Web API project template gives you three options for authentication:

• Individual accounts. The app uses a membership database.
• Organizational accounts. Users sign in with their Azure Active Directory, Office 365, or on-premise Active Directory credentials.
• Windows authentication. This option is intended for Intranet applications, and uses the Windows Authentication IIS module.

For more details about these options, see Creating ASP.NET Web Projects in Visual Studio 2013.

 完整的代码示例https://github.com/MikeWasson/LocalAccountsApp

Individual accounts provide two ways for a user to log in:

• Local login. The user registers at the site, entering a username and password. The app stores the password hash in the membership database. When the user logs in, the ASP.NET Identity system verifies the password.
• Social login. The user signs in with an external service, such as Facebook, Microsoft, or Google. The app still creates an entry for the user in the membership database, but does not store any credentials. The user authenticates by signing into the external service.

This article looks at the local login scenario. For both local and social login, Web API uses OAuth2 to authenticate requests. However, the credential flows are different for local and social login.

 

First, we need to define some OAuth2 terminology.

• Resource. Some piece of data that can be protected.
• Resource server. The server that hosts the resource.
• Resource owner. The entity that can grant permission to access a resource. (Typically the user.)
• Client: The app that wants access to the resource. In this article, the client is a web browser.
• Access token. A token that grants access to a resource.
• Bearer token. A particular type of access token, with the property that anyone can use the token. In other words, a client doesn't need a cryptographic key or other secret to use a bearer token. For that reason, bearer tokens should only be used over a HTTPS, and should have relatively short expiration times.
• Authorization server. A server that gives out access tokens.

An application can act as both authorization server and resource server. The Web API project template follows this pattern.

 

The authorization server and the authentication filter both call into an OWIN middleware component that handles the details of OAuth2. I'll describe the design in more detail later in this tutorial.

 

作者:Chuck Lu    GitHub