[英]Certificate vs secret - What to use at azure app registration?
我想使用 Microsft Graph API 從 azure 活動目錄中獲取信息。 為此,我需要一個訪問令牌,它是基於秘密或證書頒發的。
在 azure 門戶中,建議使用證書。 使用證書的原因是什么? 使用證書是否比使用機密更安全?
可以並且應該存儲什么類型的證書? 它是如何生成的?
提前謝謝了!
使用證書的原因是什么? 使用證書是否比使用機密更安全?
是的,Certificate 比 Secret 更安全,因此更復雜且更昂貴。 您可以參考沉默評論中的鏈接。
可以並且應該存儲什么類型的證書? 它是如何生成的?
文件類型: .cer
、 .pem
、 .crt
閱讀有關證書格式的詳細信息。 以下是如何制作簽名的客戶端斷言:
string Encode(byte[] arg)
{
char Base64PadCharacter = '=';
char Base64Character62 = '+';
char Base64Character63 = '/';
char Base64UrlCharacter62 = '-';
char Base64UrlCharacter63 = '_';
string s = Convert.ToBase64String(arg);
s = s.Split(Base64PadCharacter)[0]; // RemoveAccount any trailing padding
s = s.Replace(Base64Character62, Base64UrlCharacter62); // 62nd char of encoding
s = s.Replace(Base64Character63, Base64UrlCharacter63); // 63rd char of encoding
return s;
}
string GetSignedClientAssertion()
{
//Signing with SHA-256
string rsaSha256Signature = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
X509Certificate2 certificate = new X509Certificate2("Certificate.pfx", "Password", X509KeyStorageFlags.EphemeralKeySet);
//Create RSACryptoServiceProvider
var x509Key = new X509AsymmetricSecurityKey(certificate);
var privateKeyXmlParams = certificate.PrivateKey.ToXmlString(true);
var rsa = new RSACryptoServiceProvider();
rsa.FromXmlString(privateKeyXmlParams);
//alg represents the desired signing algorithm, which is SHA-256 in this case
//kid represents the certificate thumbprint
var header = new Dictionary<string, string>()
{
{ "alg", "RS256"},
{ "kid", Encode(Certificate.GetCertHash()) }
};
//Please see the previous code snippet on how to craft claims for the GetClaims() method
string token = Encode(Encoding.UTF8.GetBytes(JObject.FromObject(header).ToString())) + "." + Encode(Encoding.UTF8.GetBytes(JObject.FromObject(GetClaims())));
string signature = Encode(rsa.SignData(Encoding.UTF8.GetBytes(token), new SHA256Cng()));
string signedClientAssertion = string.Concat(token, ".", signature);
return signedClientAssertion;
}
private static IDictionary<string, string> GetClaims()
{
//aud = https://login.microsoftonline.com/ + Tenant ID + /v2.0
string aud = $"https://login.microsoftonline.com/{tenantId}/v2.0";
string ConfidentialClientID = "00000000-0000-0000-0000-000000000000" //client id
const uint JwtToAadLifetimeInSeconds = 60 * 10; // Ten minutes
DateTime validFrom = DateTime.UtcNow;
var nbf = ConvertToTimeT(validFrom);
var exp = ConvertToTimeT(validFrom + TimeSpan.FromSeconds(JwtToAadLifetimeInSeconds));
return new Dictionary<string, string>()
{
{ "aud", aud },
{ "exp", exp.ToString() },
{ "iss", ConfidentialClientID },
{ "jti", Guid.NewGuid().ToString() },
{ "nbf", nbf.ToString() },
{ "sub", ConfidentialClientID }
};
}
或使用 Powershell: https://docs.microsoft.com/en-us/azure/cosmos-db/certificate-based-authentication#create-a-self-signed-certificate
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.