NET使用JSON Web令牌處理程序生成帶有證書指紋的JWT

Question

我正在開始一項新任務，必須處理JWT的指紋。 我們將JSON Web令牌處理程序用於Microsoft .Net Framework。 測試中已經使用了一種實現，該實現可以生成JWT，而不會在標頭中填充x5t。 看起來像這樣：

var handler = new JwtSecurityTokenHandler();
      var securityKey = new InMemorySymmetricSecurityKey(Any.Array<byte>(1024));
      var desc = new SecurityTokenDescriptor
      {
        TokenIssuerName = "MSI",
        Lifetime = new Lifetime(null, DateTime.UtcNow.AddDays(10)),
        SigningCredentials = new SigningCredentials(securityKey, "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256"),
      };

      var identity = new ClaimsIdentity();
      identity.AddClaim(new Claim("scope", "msi_unsapi_presence.watch"));
      identity.AddClaim(new Claim("scope", "msi_unsapi_location.watch"));
      identity.AddClaim(new Claim("scope", "msi_unsapi_groupmgt.read"));
      identity.AddClaim(new Claim("scope", "msi_unsapi_groupmgt.write"));
      var jwtToken = handler.CreateToken(desc);
      return jwtToken;

其產生的令牌： {"typ":"JWT","alg":"HS256"}.{"scope":["msi_unsapi_presence.watch","msi_unsapi_location.watch","msi_unsapi_groupmgt.read","msi_unsapi_groupmgt.write"]}我嘗試將SecurityTokenDescriptor的AttachedReference屬性設置為以下AttachedReference = new X509ThumbprintKeyIdentifierClause(Any.Array<byte>(1024))以在令牌中填充x5t字段（我不在乎確切的值，為了測試目的，我只需要它存在於令牌中即可），但是生成的令牌仍然沒有設置此字段。 如何生成標頭中不包含空x5t的令牌，最好修改現有代碼？

Answer 1

這是您的customJsonWebTokenFormat的實現：

您實際上可以使用payload.add（）向其中添加任何內容。

          public class yourJsonWebTokenFormat: ISecureDataFormat<AuthenticationTicket>
            {
                public string Protect(AuthenticationTicket data)
                {
                DateTime notBefore = DateTime.UtcNow;
                DateTime expires = notBefore + TimeSpan.FromHours(1); //validity timer.

         SigningCredentials cred= new SigningCredentials(); // your signing credentials.
                    JwtHeader header = new JwtHeader(cred);
header.add("x5t","your value");
                    JwtPayload payload = newJwtPayload(ConfigurationManager.AppSettings["Issuer"],data.Properties.Dictionary["audience"], data.Identity.Claims, notBefore, expires);
        payload.add("x5t","your x5t to json property");

                    var jwtToken = new JwtSecurityToken(header, payload);
                    var handler = new JwtSecurityTokenHandler();
                    var jwt = handler.WriteToken(jwtToken);
                    return jwt;
                }
    }

然后在您的OAuth Config中：

     OAuthAuthorizationServerOptions OAuthServerOptions = new 

    OAuthAuthorizationServerOptions()
                {
    // provider configuration, token authentication expiracy, etc...
Provider = new SampleAuthorizationServerProvider()
                    AccessTokenFormat = new JsonWebTokenFormat()
                };

請求令牌的請求現在將調用yourJsonWebTokenFormat.protect（）方法。

您應該在自己的OAuthAuthorizationServerProvider的AuthenticationTicket中設置樣本中內置的身份。

像這樣的東西：

        public class SampleAuthorizationServerProvider : OAuthAuthorizationServerProvider, IOAuthAuthorizationServerProvider
        {
           public override Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
                {
        // do AD check or other stuff needed to validate the user here
            var ticket = new AuthenticationTicket(identity, props); // props here is a AuthenticationProperties Dictionnary with other stuff that you want in your JwtToken
    context.Validated(ticket);
        }

        public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
        {
//do some check...
context.Validated();
}
    }

所以最終需要實現2個類： ISecureDataFormat<AuthenticationTicket>和

OAuthAuthorizationServerProvider, IOAuthAuthorizationServerProvider