这是一个很大的主题，您可能需要花一些时间来完善基础知识，对不起.

It's a big subject and you probably need to spend some time boning up on the basics, sorry.

那是...为了对后续方法调用进行身份验证，您需要一些可以随每个请求传递回去的东西.如果您是从网站上调用api，例如因为使用的是Angular或类似工具，则可以使用简单的cookie(适当加密并MACed).确切的实现方法取决于您是否使用OWIN，以及项目中是否还具有MVC来提供页面.不要自己创建cookie，请使用FormsAuthentication或等效的OWIN中间件.您不需要使用Microsoft的Membership或Identity，但是请注意，自己进行密码处理并非易事，并且您确实需要了解使用该密码所做的一切-如果您愿意，就无法进行大量研究要做到这一点.

That said... In order for subsequent method calls to be authenticated, you need something that can be passed back with every request. If you are calling your api from a website, say because you are using Angular or similar, then a simple cookie (appropriately encrypted and MACed) will work. Exactly how to implement that depends on whether you are using OWIN or not and whether you also have MVC in your project to serve up your pages. Don't create the cookie yourself, use FormsAuthentication or the equivalent OWIN middleware. You don't need to use Microsofts Membership or Identity, but be aware that doing your own password handling is not trivial and you really need to know what you are doing with that stuff - there is no substitute for a lot of research if you want to do that.

如果您需要从网站以外的其他地方调用api，那么cookie会很痛苦.还请注意，在使用Cookie和Web API时，您需要了解和防御一些细微的CSRF漏洞.

If you need to call the api from something other than a Web site, then a cookie is painful. Also be mindful that there are some subtle CSRF vulnerabilities when using cookies and Web api that you need to understand and protect against.

cookie的替代方法是嵌入类似ThinkTecture Identityserver的东西(它是免费的)，并使用它发行oAuth令牌，然后将它们附加到每个API请求.它具有许多优点，但也更复杂.

An alternative to cookies is to embed something like ThinkTecture Identityserver (it's free) and use that to issue oAuth tokens and then attach them to each API request. It has a number of advantages but is also more complex.

资源
您确实要求获得从哪里开始阅读的指针.在过去的几年中，Microsoft已经对其默认"方法进行了多次更改，这使您的任务变得复杂.当前的默认方法是 Identity ，它取代了以前的MembershipProvider(很好的弃用).如果您是这个新手，我建议您老实说-您可以扩展它，并且它可以很好地与堆栈的其余部分联系在一起.是的，您失去了一些灵活性，需要将其包装在当前的用户存储中.但是您需要问问自己，开箱即用的安全性是否不值得.

Resources
You did ask for pointers on where to start reading. Your task is complicated by the fact that Microsoft has been changing their "default" approach to it several times over the last few years. The current default approach is Identity which replaces the previous MembershipProvider (good riddance). If you are new to this, I'd suggest you go that route to be honest - you can extend it and it ties in with most of the rest of the stack very nicely. Yes, you lose some flexibility and you need to wrap it around your current user store. But you need to ask yourself if the security you get out of the box isn't worth that.

我还建议 Brock Allen的博客.这是非常顽固的，但是他知道他的东西，并且经常会解释许多Microsoft身份验证技术的内在特性.

I would also recommend Brock Allen's blog. It's pretty hardcore but he knows his stuff and will often explain the innards of a lot of Microsoft authentication technologies.

我建议您尝试阅读"OWIN身份验证中间件".一切就在这里，尤其是使用ASP.Net vNext.可悲的是，那里的大多数文档都集中在使用它的简易性(对于演示)上，但是缺乏有关其实际工作方式的深入信息，这可能会令人沮丧.

I would recommend you try to read up on "OWIN Authentication Middleware". It's where it is all going, not least with ASP.Net vNext. Sadly, most of the documentation out there focus on how super easy it is to use (and it is - for a demo) but lack any in-depth info about how it really works, which can be very frustrating.

为了掌握令牌和不同标准的工作原理，我建议您在此处观看此视频: http://www.ndcvideos.com/#/app/video/2651

In order to get to grips with how tokens and the different standards work, I would recommend you watch this video here: http://www.ndcvideos.com/#/app/video/2651

然后看一下Azure移动服务，它甚至具有用于处理我认为的auth或ThinkTecture Identity Server的客户端库.即使您最终使用IdSrv而不是使用它们，也可以通过他们有关如何使用它的教程来学习有关整个过程的基本知识.全部基于开放标准.此处的文档: http://identityserver.github.io/Documentation/docs/尝试完成他们的教程；他们使用Windows控制台应用程序代替了应用程序，但是概念是相同的.

Then look at Azure Mobile Services which has even got client-side libraries for handling the auth I believe or ThinkTecture Identity Server. Even if you end up not using IdSrv, by going through their tutorials on how to use it, you will learn an awful lot about how this whole thing works in general; it's all based on open standards. Docs here: http://identityserver.github.io/Documentation/docs/ Try working through their tutorials; They use a windows console app in place of an app, but the concept is the same.

我希望你好运，但想结束时说 please ，不要只是将一些似乎可行的东西混在一起.Web安全性越来越复杂，并且很容易在您的代码中留下漏洞-我从经验中谈起:)

I wish you luck but would like to just close by saying please don't just hack something together that seems to work. Web security is increasingly complex and it is very easy to leave vulnerabilities in your code - I talk from experience :)

不要成为月猪.