Web Api - claims based auth via STS

StackOverflow https://stackoverflow.com/questions/22311692

質問

I am building two seperate ASP.Net WebApi applications, which will run under the same domain (not subdomain) plus one STS that handles the authentification and will be the user account store.

The client connects with breeze.js/angular.js to that APIs. So i think JWT (JSON Web Token) will be my choice for tokens as i don't want to use forms auth.

How do i accomplish trust between the STS and the apps just by the domain name? I found some WS-Federation trust samples but i think that is such an overkill of what i need to build.

役に立ちましたか?

解決

Not sure what you mean with "by domain name".

The typical flow would be:

  • client requests a (JWT) token from an authorization server (using OAuth2)
  • client sends the token to the API using the authorization header

The JWT is signed by the authorization server - the API verifies the signature.

So trust between the API and the authorization server is established by being able to validate the token (using the signature, issuer name and audience name).

see also here: https://github.com/thinktecture/Thinktecture.AuthorizationServer/wiki

ライセンス: CC-BY-SA帰属
所属していません StackOverflow
scroll top