C# 我应该如何为应用程序实现 OAuth?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/15770385/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How should I implement OAuth for an application?
提问by Chev
I am creating an application for a client that needs to do the following:
我正在为需要执行以下操作的客户创建应用程序:
- Allow users to authenticate using Google, Facebook, Twitter, and LinkedIn.
- Allow users to add additional providers after signing up. (i.e. if the user authenticated with Google then they should be able to add any or all of the other providers as well.)
- Allow users to import Google contacts, Facebook friends list, twitter followers, and Linkedin friends in order to build a custom contact list.
- 允许用户使用 Google、Facebook、Twitter 和 LinkedIn 进行身份验证。
- 允许用户在注册后添加其他提供商。(即,如果用户通过 Google 身份验证,那么他们也应该能够添加任何或所有其他提供者。)
- 允许用户导入 Google 联系人、Facebook 好友列表、Twitter 关注者和 Linkedin 好友,以构建自定义联系人列表。
Where is the best place to start learning about this? Is there a standard that everybody uses for these things in .NET? I've been Googling around for a few hours and while it seems most people point to DotNetOpenAuthI can't seem to find any solid tutorials on how to use the library. The download comes with samples but it's still confusing me.
哪里是开始学习这方面的最佳地点?.NET 中是否有每个人都使用的标准?我已经在谷歌上搜索了几个小时,虽然似乎大多数人都指向DotNetOpenAuth,但我似乎找不到任何关于如何使用该库的可靠教程。下载带有示例,但它仍然让我感到困惑。
I assumed it would be as simple as:
我认为它会很简单:
- Configure providers' secrets.
- Begin login with provider
- Authenticate user with auth cookie
- Create user record in my database and store unique ID from provider.
- 配置提供者的秘密。
- 开始使用提供商登录
- 使用 auth cookie 对用户进行身份验证
- 在我的数据库中创建用户记录并存储来自提供商的唯一 ID。
But it seems like every provider has it's own set of code and it's all so different and confusing. Facebook has some graph object, twitter has some "InMemoryTokenManager" that I don't understand, and Google doesn't even have an authentication example, only a Google Address Book example. And on top of all that you have to copy bits of code out of some ApplicationBlock demo in the samples into your own app for some reason, and getting that all to compile without knowing what the heck it's trying to do is an arduous task.
但似乎每个提供商都有自己的一套代码,而且都如此不同且令人困惑。Facebook 有一些图形对象,twitter 有一些我不明白的“InMemoryTokenManager”,谷歌甚至没有身份验证示例,只有谷歌地址簿示例。最重要的是,出于某种原因,您必须将示例中的某些 ApplicationBlock 演示中的代码片段复制到您自己的应用程序中,并且在不知道它想要做什么的情况下编译所有代码是一项艰巨的任务。
I feel like I'm missing something fundamental with all this.
我觉得我在这一切中遗漏了一些基本的东西。
Even a book recommendation would be great at this point.
在这一点上,即使是一本书推荐也会很棒。
I believe I understand the high-level concepts of OAuth but once I try to dive into the nitty-gritty I immediately get lost.
我相信我了解 OAuth 的高级概念,但是一旦我尝试深入了解细节,我就会立即迷失方向。
采纳答案by Wiktor Zychla
First, there is really no point in using external libraries if you are on net 4.5 where the default asp.net template comes with authentication code for most of these mentioned providers.
首先,如果您使用的是 net 4.5,其中默认的 asp.net 模板带有大多数提到的提供程序的身份验证代码,那么使用外部库实际上毫无意义。
Second, if you still need a good tutorial on some details of oauth2 authentication, take a look at this great post by Ben Foster http://ben.onfabrik.com/posts/oauth-providers
其次,如果您仍然需要有关 oauth2 身份验证的一些详细信息的良好教程,请查看 Ben Foster撰写的这篇很棒的文章http://ben.onfabrik.com/posts/oauth-providers
Third, unfortunately, if you need anything else than authentiation, there is no single protocol. Thus, each provider has its own way of exposing these additional data - contacts, posts etc. You can't do much about it, it has nothing to do with oauth2 but is just a way of invoking a specific api which by chance is often exposed as rest/xml web services based on oauth2 authentication. This means that if you do authentication only, the protocol is mostly the same for each provider. Anything more is specific.
第三,不幸的是,如果您需要的只是身份验证,则没有单一的协议。因此,每个提供者都有自己的方式来公开这些额外的数据 - 联系人、帖子等。您对此无能为力,它与 oauth2 无关,而只是调用特定 api 的一种方式,而这种方式通常是偶然的公开为基于 oauth2 身份验证的 rest/xml Web 服务。这意味着如果您只进行身份验证,则每个提供程序的协议基本相同。还有什么是具体的。
Fourth, I would stick with the email address returned by a provider rather than internal id. Not all providers support the id whereas all of them can return user email. And you can trust this information as providers verify emails before they return it via oauth2.
第四,我会坚持使用提供商返回的电子邮件地址而不是内部 ID。并非所有提供商都支持 id,而所有提供商都可以返回用户电子邮件。您可以信任此信息,因为提供商会在通过 oauth2 返回电子邮件之前对其进行验证。
回答by Moo
I suggest you use World Domination from PureKrome, it's trivial to use, well documented and very nice!
我建议您使用 PureKrome 的 World Domination,它使用起来很简单,有据可查且非常好!
https://github.com/PureKrome/WorldDomination.Web.Authentication
https://github.com/PureKrome/WorldDomination.Web.Authentication
It handles Twitter, Google, Facebook et al with simple one line configurations, and it handles everything else.
它使用简单的一行配置处理 Twitter、Google、Facebook 等,并处理其他所有内容。
The creator hangs around n jabbr.net a lot as well.
创作者也经常在 jabbr.net 上闲逛。
回答by Malcolm O'Hare
The ASP.NET MVC 4 'Internet Application' template has DotNetOpenAuthimplemented on it, you should take a look at that if you haven't already.
ASP.NET MVC 4 'Internet Application' 模板已经DotNetOpenAuth在它上面实现,如果你还没有,你应该看看它。
回答by Zachary Yates
Take a look at the Social Bootstrap APIproject (it uses servicestack, but it's nice to see all of those buzzword technologies working together in a readable sample).
看看Social Bootstrap API项目(它使用服务堆栈,但很高兴看到所有这些流行语技术在可读示例中协同工作)。
Also, if you want to get a better handle on how OAuth works, Mashape has good explanation. That will give you a look at the behind the scenes stuff that most wrappers implement.
此外,如果您想更好地了解 OAuth 的工作原理,Mashape 有很好的解释。这将使您了解大多数包装器实现的幕后内容。
Rick Strahl has an examplethat I used years ago to implement OpenID in MVC. It's a bit dated but it was one of the most straight forward implementations at the time. Several customer sites that I built with that implementation are still running fine.
Rick Strahl 有一个我多年前用来在 MVC 中实现 OpenID的示例。它有点过时,但它是当时最直接的实现之一。我使用该实现构建的几个客户站点仍然运行良好。
