2021-12-08 (星期三)

[實作]驗證機制(Authentication)Moderm Token-Based(ASP.NET Web API v2 JWT)

傳統Cookie-Based是基本Sense,大家應該也都清楚了解其機制,此部分不多做說明,本篇主要說明Moderm Token-Based及實作部分:

1、Web API v1 & Web API v2最大差異在於v2加入了Refresh token機制

Web API v1依附於ASP.NET MVC 4(Visual Studio 2012);Web API v2依附於ASP.NET MVC 5(Visual Studio 2013),
其他差異請見:
進擊的 Web API 2 巨人 – 打造支援各種裝置及平台的服務

2、Accesee token解決的問題

2-1、跨域/ CORS:
Cookies + CORS don’t play well across different domains. A token-based approach allows you to make AJAX calls to any server,
on any domain because you use an HTTP header to transmit the user information.
2-2、Stateless(伺服器端的可擴展性):
Stateless (a.k.a. Server side scalability): there is no need to keep a store, the token is a self-contanined entity that conveys all the user information.
The rest of the state lives in cookies or local storage on the client side.
2-3、CDN:
You can serve all the assets of your app from a CDN (e.g. javascript, HTML, images, etc.), and your server side is just the API.
2-4、Decoupling(去耦):
You are not tied to a particular authentication scheme. The token might be generated anywhere,
hence your API can be called from anywhere with a single way of authenticating those calls.
2-5、Mobile ready:
When you start working on a native platform (iOS, Android, Windows 8, etc.) cookies are not ideal when consuming a secure API (you have to deal with cookie containers).
Adopting a token-based approach simplifies this a lot.
2-6、CSRF:
Since you are not relying on cookies, you don’t need to protect against cross site requests (e.g. it would not be possible to <iframe> your site,
generate a POST request and re-use the existing authentication cookie because there will be none).
2-7、Performance:
We are not presenting any hard perf benchmarks here, but a network roundtrip (e.g. finding a on database)
is likely to take more time than calculating an HMACSHA256 to validate a token and parsing its contents.
2-8、Login page is not an special case:
If you are using Protractor to write your functional tests, you don’t need to handle any special case for login.
2-9、Standard-based:
Your API could accepts a standard JSON Web Token (JWT). This is a standard and there are multiple backend libraries (.NET, Ruby, Java, Python, PHP)
and companies backing their infrastructure (e.g. Firebase, Google, Microsoft). As an example, Firebase allows their customers to use any authentication mechanism,
as long as you generate a JWT with certain pre-defined properties, and signed with the shared secret to call their API.

3、WebAPI.WebAPIv2專案檔實例,請詳見下方原始碼

3-1、Startup.cs為起始註冊檔,其中註冊了App_Start中的WebApiConfig.cs。
3-2、Providers資料夾中的CustomAuthProvider.cs實現了基本的Access Token發放。
3-3、CustomRefreshTokenProvider.cs實現了Refresh token功能。(搭配Database,Tablel:WebAPIv2Client、WebAPIv2RefreshToken)
3-4、Controllers資料夾為ASP.NET API 2的提供服務,遵循RESTful規範。

4、原始碼

Startup.cs

CustomAuthProvider.cs

CustomRefreshTokenProvider.cs

Table.WebAPIv2Client

Table.WebAPIv2RefreshToken

Postman測試結果:

72-1

也可看看

[實作]ASP.NET如何有效防止按鈕重複提交(Client端)

因為各種狀況或網路環境,時常會導致主機反應速度並不如預期的迅速確實;在提交表單的當下,並非每次都非常即時的觸發。

發表迴響