WebAPI - 令牌端点和 API 端点的单独部署
WebAPI - Seperate deployment for token endpoint and API endpoint
我有两个 webapi 项目,它们将作为两个不同的网站部署在同一台服务器上 - server/site1 和 server/site2。他们都使用令牌身份验证。我可以拥有第三个仅包含部署在 server/tokensite 的令牌端点的 webapi 项目,以便从此处检索到的令牌可用于 site1 和 site2 上的身份验证吗?
你的问题
I have two webapi projects which will be deployed as two different websites on the same server - server/site1 and server/site2. They both use token authentication. Can I have a third webapi project with just the token endpoint that is deployed at server/tokensite
我更愿意部署在同一台服务器上,但使用子域:
- site1.example.com
- site2.example.com
- auth.example.com
这使您可以灵活地更轻松地在服务器中移动内容。
so that the token retrieved from here can be used for authentication on site1 and site2?
是的,你可以,但正如我已经提到的,我不会在同一个域中这样做。
看来你要实现的是Single Sign On(SSO)
Single sign-on (SSO) is a property of access control of multiple related, yet independent, software systems.
Conversely, single sign-off is the property whereby a single action of signing out terminates access to multiple software systems.
Other shared authentication schemes such as OpenID, and OpenID Connect offer other services that may require users to make choices during a sign-on to a resource, but can be configured for single sign-on if those other services (such as user consent) are disabled.
所以要实现单点登录你可以使用OpenID Connect:
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
OpenID Connect performs many of the same tasks as OpenID 2.0, but does so in a way that is API-friendly, and usable by native and mobile applications. OpenID Connect defines optional mechanisms for robust signing and encryption. Whereas integration of OAuth 1.0a and OpenID 2.0 required an extension, in OpenID Connect, OAuth 2.0 capabilities are integrated with the protocol itself.
可能的解决方案
我不建议您实施自己的解决方案,而是将其委托给身份验证提供商,或使用开源包来实施。
您似乎在使用 DOTNET,因此我建议您阅读 this quick start 他们的文档,它会指导您在一个带有一些官方库的新项目中设置 SSO。
In this quickstart, you'll learn how to implement sign-in with Microsoft using an ASP.NET MVC solution with a traditional web browser-based application using OpenID Connect. You'll learn how to enable sign-ins from work and school accounts in your ASP.NET application.
或者您可以使用来自 Azure Active Directory 的 SSO。
Single sign-on (SSO) adds security and convenience when users sign-on to applications in Azure Active Directory (Azure AD). This article describes the single sign-on methods, and helps you choose the most appropriate SSO method when configuring your applications.
对于阅读本文但使用其他语言的任何人,请查看 SSO 包的一些示例:
加倍努力
一旦您部署了自己的解决方案,我建议您投入大量资金来保护它。对于 API 服务网络应用程序,您可以采用多层防御,从 reCaptcha V3, followed by Web Application Firewall(WAF) and finally if you can afford it a User Behavior Analytics(UBA) solution. If you want to learn and understand why is important to secure properly an API, you may want to read this series 篇文章开始,这些文章将教您如何 API 密钥、用户访问令牌、HMAC 和 TLS 固定用于保护 API 以及如何绕过它们。虽然该系列文章是在移动设备 api 的上下文中,但其中的很多内容仍然适用于网络 api。
Google reCAPTCHA V3:
reCAPTCHA is a free service that protects your website from spam and abuse. reCAPTCHA uses an advanced risk analysis engine and adaptive challenges to keep automated software from engaging in abusive activities on your site. It does this while letting your valid users pass through with ease.
...helps you detect abusive traffic on your website without any user friction. It returns a score based on the interactions with your website and provides you more flexibility to take appropriate actions.
WAF - Web Application Firewall:
A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations.
UBA - User Behavior Analytics:
User behavior analytics (UBA) as defined by Gartner is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns—anomalies that indicate potential threats. Instead of tracking devices or security events, UBA tracks a system's users. Big data platforms like Apache Hadoop are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats.
我有两个 webapi 项目,它们将作为两个不同的网站部署在同一台服务器上 - server/site1 和 server/site2。他们都使用令牌身份验证。我可以拥有第三个仅包含部署在 server/tokensite 的令牌端点的 webapi 项目,以便从此处检索到的令牌可用于 site1 和 site2 上的身份验证吗?
你的问题
I have two webapi projects which will be deployed as two different websites on the same server - server/site1 and server/site2. They both use token authentication. Can I have a third webapi project with just the token endpoint that is deployed at server/tokensite
我更愿意部署在同一台服务器上,但使用子域:
- site1.example.com
- site2.example.com
- auth.example.com
这使您可以灵活地更轻松地在服务器中移动内容。
so that the token retrieved from here can be used for authentication on site1 and site2?
是的,你可以,但正如我已经提到的,我不会在同一个域中这样做。
看来你要实现的是Single Sign On(SSO)
Single sign-on (SSO) is a property of access control of multiple related, yet independent, software systems. Conversely, single sign-off is the property whereby a single action of signing out terminates access to multiple software systems. Other shared authentication schemes such as OpenID, and OpenID Connect offer other services that may require users to make choices during a sign-on to a resource, but can be configured for single sign-on if those other services (such as user consent) are disabled.
所以要实现单点登录你可以使用OpenID Connect:
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. OpenID Connect performs many of the same tasks as OpenID 2.0, but does so in a way that is API-friendly, and usable by native and mobile applications. OpenID Connect defines optional mechanisms for robust signing and encryption. Whereas integration of OAuth 1.0a and OpenID 2.0 required an extension, in OpenID Connect, OAuth 2.0 capabilities are integrated with the protocol itself.
可能的解决方案
我不建议您实施自己的解决方案,而是将其委托给身份验证提供商,或使用开源包来实施。
您似乎在使用 DOTNET,因此我建议您阅读 this quick start 他们的文档,它会指导您在一个带有一些官方库的新项目中设置 SSO。
In this quickstart, you'll learn how to implement sign-in with Microsoft using an ASP.NET MVC solution with a traditional web browser-based application using OpenID Connect. You'll learn how to enable sign-ins from work and school accounts in your ASP.NET application.
或者您可以使用来自 Azure Active Directory 的 SSO。
Single sign-on (SSO) adds security and convenience when users sign-on to applications in Azure Active Directory (Azure AD). This article describes the single sign-on methods, and helps you choose the most appropriate SSO method when configuring your applications.
对于阅读本文但使用其他语言的任何人,请查看 SSO 包的一些示例:
加倍努力
一旦您部署了自己的解决方案,我建议您投入大量资金来保护它。对于 API 服务网络应用程序,您可以采用多层防御,从 reCaptcha V3, followed by Web Application Firewall(WAF) and finally if you can afford it a User Behavior Analytics(UBA) solution. If you want to learn and understand why is important to secure properly an API, you may want to read this series 篇文章开始,这些文章将教您如何 API 密钥、用户访问令牌、HMAC 和 TLS 固定用于保护 API 以及如何绕过它们。虽然该系列文章是在移动设备 api 的上下文中,但其中的很多内容仍然适用于网络 api。
Google reCAPTCHA V3:
reCAPTCHA is a free service that protects your website from spam and abuse. reCAPTCHA uses an advanced risk analysis engine and adaptive challenges to keep automated software from engaging in abusive activities on your site. It does this while letting your valid users pass through with ease.
...helps you detect abusive traffic on your website without any user friction. It returns a score based on the interactions with your website and provides you more flexibility to take appropriate actions.
WAF - Web Application Firewall:
A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations.
UBA - User Behavior Analytics:
User behavior analytics (UBA) as defined by Gartner is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns—anomalies that indicate potential threats. Instead of tracking devices or security events, UBA tracks a system's users. Big data platforms like Apache Hadoop are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats.