问题描述
我对API身份验证并不真正感兴趣-我要做的就是授权可以从我正在设计的某种门户中访问一个或多个应用程序的用户.我们将托管所有Web应用程序,其中一些只是Javascript和HTML,有些是MVC.
I'm not really interested in API authentication - all I want to do is authorize a user who has access to one or many applications from a kind of portal I am designing. We are hosting the all the web applications, some are just Javascript and HTML, some are MVC.
我在下面与一个叫Bob的用户一起创建了一个图.他是有效用户,被允许使用名为"JS"的应用程序,但不能使用MVC.如何使用Identity Server来实现.显然,在JS应用程序中时,它仍然需要与Identity Server进行通信,以确保当前用户有效,否则有人可以复制应用程序的URL并使用该应用程序.
I have created a diagram below with a user called Bob. He is a valid user and is allowed to use an application called "JS" but not MVC. How can this be implemented using Identity Server. Obviously when inside the JS application it still needs to talk to the Identity Server to make sure the current user is valid or else somebody could just copy the url of the app and use the application.
注意-JS应用程序只是一个普通的旧HTML5和Javascript应用程序,没有.NET MVC应用程序那么花哨.
NOTE - the JS application is just a plain old HTML5 and Javascript application it is nothing fancy like an .NET MVC app.
推荐答案
一种方法是通过在IdentityServer中将各个应用程序(JS和MVC应用程序)注册为单独的客户端(假设每个应用程序具有不同的重定向URI)并限制访问权限在这些客户之间.
One way to achieve this is by registering individual applications (JS and MVC app) as separate clients in IdentityServer (assuming each application has different redirect URI’s) and restricting access between those clients.
为了限制经过身份验证的用户在客户端之间的访问,您需要使用ICustomRequestValidator接口.
In order to restrict access between clients for an authenticated user, you need to use ICustomRequestValidator interface.
More details in this discussion board and a similar post in SO thread
这篇关于可以使用Identity Server对您可能托管的各种Web应用程序的用户进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!