[英]Generate JWT with certificate thumbprint with JSON Web Token Handler for .Net
我正在開始一項新任務,必須處理JWT的指紋。 我們將JSON Web令牌處理程序用於Microsoft .Net Framework。 測試中已經使用了一種實現,該實現可以生成JWT,而不會在標頭中填充x5t。 看起來像這樣:
var handler = new JwtSecurityTokenHandler();
var securityKey = new InMemorySymmetricSecurityKey(Any.Array<byte>(1024));
var desc = new SecurityTokenDescriptor
{
TokenIssuerName = "MSI",
Lifetime = new Lifetime(null, DateTime.UtcNow.AddDays(10)),
SigningCredentials = new SigningCredentials(securityKey, "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256"),
};
var identity = new ClaimsIdentity();
identity.AddClaim(new Claim("scope", "msi_unsapi_presence.watch"));
identity.AddClaim(new Claim("scope", "msi_unsapi_location.watch"));
identity.AddClaim(new Claim("scope", "msi_unsapi_groupmgt.read"));
identity.AddClaim(new Claim("scope", "msi_unsapi_groupmgt.write"));
var jwtToken = handler.CreateToken(desc);
return jwtToken;
其產生的令牌: {"typ":"JWT","alg":"HS256"}.{"scope":["msi_unsapi_presence.watch","msi_unsapi_location.watch","msi_unsapi_groupmgt.read","msi_unsapi_groupmgt.write"]}
我嘗試將SecurityTokenDescriptor的AttachedReference屬性設置為以下AttachedReference = new X509ThumbprintKeyIdentifierClause(Any.Array<byte>(1024))
以在令牌中填充x5t字段(我不在乎確切的值,為了測試目的,我只需要它存在於令牌中即可),但是生成的令牌仍然沒有設置此字段。 如何生成標頭中不包含空x5t的令牌,最好修改現有代碼?
這是您的customJsonWebTokenFormat的實現:
您實際上可以使用payload.add()向其中添加任何內容。
public class yourJsonWebTokenFormat: ISecureDataFormat<AuthenticationTicket>
{
public string Protect(AuthenticationTicket data)
{
DateTime notBefore = DateTime.UtcNow;
DateTime expires = notBefore + TimeSpan.FromHours(1); //validity timer.
SigningCredentials cred= new SigningCredentials(); // your signing credentials.
JwtHeader header = new JwtHeader(cred);
header.add("x5t","your value");
JwtPayload payload = newJwtPayload(ConfigurationManager.AppSettings["Issuer"],data.Properties.Dictionary["audience"], data.Identity.Claims, notBefore, expires);
payload.add("x5t","your x5t to json property");
var jwtToken = new JwtSecurityToken(header, payload);
var handler = new JwtSecurityTokenHandler();
var jwt = handler.WriteToken(jwtToken);
return jwt;
}
}
然后在您的OAuth Config中:
OAuthAuthorizationServerOptions OAuthServerOptions = new
OAuthAuthorizationServerOptions()
{
// provider configuration, token authentication expiracy, etc...
Provider = new SampleAuthorizationServerProvider()
AccessTokenFormat = new JsonWebTokenFormat()
};
請求令牌的請求現在將調用yourJsonWebTokenFormat.protect()方法。
您應該在自己的OAuthAuthorizationServerProvider的AuthenticationTicket中設置樣本中內置的身份。
像這樣的東西:
public class SampleAuthorizationServerProvider : OAuthAuthorizationServerProvider, IOAuthAuthorizationServerProvider
{
public override Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
// do AD check or other stuff needed to validate the user here
var ticket = new AuthenticationTicket(identity, props); // props here is a AuthenticationProperties Dictionnary with other stuff that you want in your JwtToken
context.Validated(ticket);
}
public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
//do some check...
context.Validated();
}
}
所以最終需要實現2個類: ISecureDataFormat<AuthenticationTicket>
和
OAuthAuthorizationServerProvider, IOAuthAuthorizationServerProvider
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.