问题
I have set up an OWIN authorization server and several resource servers exposing ASP.NET Web APIs. I am serving up a JWT from the authorization server that is specific to each resource server (the idea being that each resource server needs custom claims wrapped up in its token).
These servers are all in an intranet environment where we historically have used Windows Authentication (Kerberos) to provide a single sign-on experience. This feature has been lost in my implementation because I am using the user's username and password (authenticated against AD) to grant a token. What I am wondering is if there is a way to get a single sign-on experience back - maybe by using Windows Authentication to establish the identity of a user before granting them a token?
I feel like this is somewhat unorthodox and might be dumb - so please tell me if there is a better, alternative approach to getting SSO with OAuth 2.0 in an intranet environment.
回答1:
As it turns out, this wasn't as hard as I expected. I created a standard web API controller off of an alternative endpoint (/token/windows/). This endpoint takes an HTTP POST with the client (resource) ID the Windows user is trying to connect to. I put the standard [Authorize] attribute on the action to ensure that identity is established, then I manually create a claims identity and return a JWT to the user. From that point on the user uses the standard token refresh process.
Edit: here's a sample below that represents what I implemented. Note that this app is configured in IIS to support Windows Authentication (in addition to anonymous authentication):
[RoutePrefix("token/windows")]
public class WindowsAuthenticationController : ApiController
{
[Authorize]
[HttpPost]
[Route("{client_id}"]
public async Task<IHttpActionResult> CreateTokenForWindowsIdentity(string client_id)
{
var user = User as ClaimsPrincipal;
if (user == null) return Unauthorized(); //401
var claims = //generate claims based on the User.Identity.Name...
var identity = new ClaimsIdentity("JWT");
identity.AddClaims(claims);
//manually create JWT using whatever method you prefer,
//I used something inspired from http://bitoftech.net/2015/02/16/implement-oauth-json-web-tokens-authentication-in-asp-net-web-api-and-identity-2/
}
}
来源:https://stackoverflow.com/questions/27217424/use-windows-authentication-with-oauth-2-0