英文:
Delegating user related topics to another Asp Net Zero project
问题
我在尝试实现以下场景,使用Asp Net Zero 12.0.0 - ASP.NET CORE和Angular:
- 一个项目,负责保存所有与用户、权限、角色、用户组、图表以及与用户相关的几乎所有内容。
- 另一个项目拥有自己的业务场景,但与用户相关的所有内容必须从前述项目中获取,包括用户访问此项目的API的权限。在第一个项目中编写此项目的内部权限并从中获取用户权限是完全有效的。
这基本上是一个微服务场景,只是将用户身份验证和授权与其他子系统分开,因此其他子系统可以加入并将此部分委托给第一个项目。
对此有任何想法将不胜感激。
英文:
I'm wondering and trying to achieve the following scenario with Asp Net Zero 12.0.0 - ASP.NET CORE & Angular:
- A project that keeps all the users, permissions, roles, user groups, charts and pretty much everything related to users.
- Another project that has it's own business scenario, but everything related to users has to be fetched from aforementioned project, including user permissions to access Apis in this project. It's completely valid to write this projects internal permissions in the first project and get user permissions from it.
It's pretty much a microservice scenario that just separates user authentication and authorization and therefore other subsystems can join and delegate this part to the first project.
Any thoughts on this would be appreciated.
答案1
得分: 3
把代码部分不翻译,只翻译文字内容:
一个项目,保存所有用户、权限、角色、用户组、图表以及与用户相关的几乎所有内容。
似乎您需要一个处理上述要求的身份验证服务(不过我无法理解这里的图表)。身份验证服务器 是推荐的选择。
它提供了对用户和客户端应用程序进行身份验证和授权的功能,以便消耗基于 OAuth 的 API 服务。请阅读此 RFC。
另一个项目具有自己的业务场景,但与用户有关的所有内容都必须从上述项目中获取,包括用户权限以访问此项目中的 API。
这个项目似乎只是另一个用于满足业务需求的服务,可以作为单独的服务/项目存在。此服务/项目必须包括授权策略(例如:用户声明策略),根据身份验证服务的配置来识别合法和授权的请求以提供服务。
使用 Asp Net Zero 12.0.0 - ASP.NET CORE 和 Angular 的场景。
Angular 项目是您的客户端服务,必须由身份验证服务器授权为合法的客户端以请求您的 API。客户端应用程序使用 OIDC 库与身份验证服务器一起工作。
注意: 请注意,旧文章使用 隐式授权流 用于基于 JS 的应用程序,但这在当前时间不推荐使用,您应该使用 带 PKCE 的代码授权流。请阅读这个并查看此 RFC。
不过,正如您提到的,您使用 Asp.net zero 与 Angular,我对此不熟悉,最好查看来自 asp.net zero 有关身份验证服务器配置的文档。
场景:
- 用户访问客户端应用程序,如果用户未经身份验证,则重定向到登录页面(在大多数情况下,登录页面位于身份验证服务器项目中,而不是客户端应用程序,这使其可以被其他客户端应用程序访问,但您需要查阅 asp.net zero 文档以确认)。
- 身份验证后,身份验证服务器根据用户和客户端应用程序提供令牌。
- 对于 API 请求,访问令牌必须包含在标头中,以便 API 服务可以与身份验证服务器进行验证。
- 用户和客户端应用程序的配置文件信息通过 API 授权策略进行检查,如果它们被授权,则 API 提供服务。
- 如果您必须根据用户自身的需求检索数据,可以使用令牌中存在的用户配置文件信息(ID、组等声明)来确定是谁(用户?)发出了请求。
英文:
> A project that keeps all the users, permissions, roles, user groups,
> charts and pretty much everything related to users.
It seems you need an Identity Service that handles the above requirements (however I can't understand the charts here). Identity Server is recommended.
it provides facilities to authenticate and authorize users and client applications to consume API services based on 0AUTH. please read this rfc
> Another project that has its own business scenario, but everything
> related to users has to be fetched from aforementioned project,
> including user permissions to access Apis in this project
This Project seems nothing but another service that serves business requirements and it could be N number of them as separate services/projects. this service/project has to include authorization policies (eg: user claims policies) according to identity service configuration to identify legit and authorized requests to serve.
> scenario with Asp Net Zero 12.0.0 - ASP.NET CORE & Angular<br/>
the angular project is your client service and has to be authorized by the identity server as a legit client to request your APIs. Client apps uses OIDC libraries to work with Identity server.<br/><br/>
NOTE: Please be aware that the old articles use implicit authorization flow for JS-based applications which are not recommended at the current time and you have to use code authorization flow with PKCE. read this and check this rfc.<br/>
However, as you mentioned you use Asp.net zero with angular which I am not familiar with, and better to check these docs from asp.net zero for identity server configuration.<br/><br/>
Scenario:<br/>
- user comes to the client app if a user is not authenticated and then redirect to the login page. (in most cases the login page lies in the identity server project, not the client app which makes it accessible by other client apps but you have to check it with asp.net zero docs)
- after authentication, the identity server provides tokens based on the user and client application he/she uses.
- for API requests, the access token must be included in the header so the API service could verify it with the identity server.
- profile info of users and client app is checked with API authorization policies and if they are authorized then API serves.
- in case you have to retrieve data based on the user himself you can check with the user profile info (id, group, etc.. claims) that existed in the token to get who(user?) requested.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论