stackoom
  简体   繁体   中英

is it possible to restrict a token to one device ?

 原文  2018-01-28 18:25:36       c#/ asp.net/ .net/ authentication/ access-token

Question

在.NET环境中-基于令牌的身份验证-是否可以将令牌限制为一个设备,以便某人无法复制该令牌并在另一设备上使用该访问令牌执行请求?

1 answers

solution1
 0  2018-01-29 07:55:04

Short answer is yes.

1- The naive solution is, you get the User-Agent from request header as well as client ip address, concatenate them with the token and encrypt it with a SecretKey and return the whole string as a new token to the client, so every time client sends a request to server you have to decrypt the token based on the SecretKey and check the data with the coming request ip address and User-Agent. so in case if any one copy the token it will not match with the headers or ip. but if the client pass the entire header properly and has the same ip address as the original client you are hacked!

2- The safest solution is client certificate authentication as NightOwl888 mentioned

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Is it possible to restrict the aad registered application to use only one Sharepoint site restrict possible combination of Flags Is it possible to restrict an instance of a pagetype in EpiServer? How to restrict access token usage with in an api Restrict input to a specific device in C# Restrict a page navigation to one control Is it possible to relay access_token from one web api to another in IdentityServer4 Is it possible to restrict a base class to a specific subclass? Is it possible to restrict public enum values in C#? Is it possible to restrict methods to virtual ONLY in friendly assemblies?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM