问题描述
我正在尝试将我的 ASP.NET 应用程序配置为接受使用对称密钥签名的 JSON Web 令牌 (JWT).STS 无法为此使用证书,因此我们正在使用它们的对称密钥支持.
I'm trying to configure my ASP.NET app to accept a JSON Web Token (JWT) that is signed with a symmetric key. The STS isn't capable of using certificates for this, so we're using their symmetric key support.
就我而言,我正在使用 微软的 JWT 开发者预览版.不幸的是,我还没有看到任何关于如何将其与对称密钥一起使用的示例.在使用各种工具进行了一些挖掘之后,我找到了 NamedKeyIssuerTokenResolver
并发现我可以 将其配置为使用对称密钥.例如:
On my end, I'm using Microsoft's JWT Developer Preview. Unfortunately, I've not seen any examples of how to use that with a symmetric key. After some digging around with various tools, I found the NamedKeyIssuerTokenResolver
and discovered that I can configure it to use a symmetric key. For example:
<securityTokenHandlers>
<add type="Microsoft.IdentityModel.Tokens.JWT.JWTSecurityTokenHandler,Microsoft.IdentityModel.Tokens.JWT" />
<securityTokenHandlerConfiguration>
<certificateValidation certificateValidationMode="PeerTrust" />
<issuerTokenResolver
type="Microsoft.IdentityModel.Tokens.JWT.NamedKeyIssuerTokenResolver,
Microsoft.IdentityModel.Tokens.JWT">
<securityKey
symmetricKey="+zqf97FD/xyzzyplugh42ploverFeeFieFoeFooxqjE="
name="https://localhost/TestRelyingParty" />
</issuerTokenResolver>
</securityTokenHandlerConfiguration>
</securityTokenHandlers>
我不完全确定我应该为那里的 name
使用什么.应该是受众Uri,还是发行者Uri?无论如何,我知道如果我不包含 name
,我的程序启动时会出现异常,因为 securityKey
元素需要该属性.
I'm not entirely sure what I'm supposed to use for the name
there. Should it be the audience Uri, perhaps the issuer Uri? In any case, I know that if I don't include a name
, I get an exception when my program starts because the securityKey
element requires that attribute.
无论如何,这仍然不能解决问题.对 STS 进行身份验证后,出现以下异常:
Whatever the case, this still doesn't resolve the issue. After I authenticate against the STS, I get the following exception:
[SecurityTokenValidationException: JWT10310: Unable to validate signature. validationParameters.SigningTokenResolver type: 'Microsoft.IdentityModel.Tokens.JWT.NamedKeyIssuerTokenResolver', was unable to resolve key to a token.
The SecurityKeyIdentifier is:
'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = Microsoft.IdentityModel.Tokens.JWT.NamedKeyIdentifierClause
)
'. validationParameters.SigningToken was null.]
Microsoft.IdentityModel.Tokens.JWT.JWTSecurityTokenHandler.ValidateSignature(JWTSecurityToken jwt, TokenValidationParameters validationParameters) +2111
Microsoft.IdentityModel.Tokens.JWT.JWTSecurityTokenHandler.ValidateToken(JWTSecurityToken jwt, TokenValidationParameters validationParameters) +138
Microsoft.IdentityModel.Tokens.JWT.JWTSecurityTokenHandler.ValidateToken(SecurityToken token) +599
System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) +135
System.IdentityModel.Services.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) +117
System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) +698
System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +123924
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165
我是否缺少其他配置步骤?我在 name
属性中放置了错误的东西吗?或者这是 JWT 开发者预览版中的一个已知错误?
Am I missing some other configuration step? Am I putting the wrong thing in the name
attribute? Or is this a known bug in the JWT Developer Preview?
推荐答案
2014/02/13 更新:
正如@leastprivilege 在下面指出的那样,使用 JWT 的 RTM 版本要容易得多.我强烈建议您忽略这一点并使用他在 http://leastprivilege.com/2013/07/16/identityserver-using-ws-federation-with-jwt-tokens-and-symmetric-signatures/.
请注意,下面的原始答案是针对 Beta 版 Microsoft.IdentityModel.Tokens.JWT.升级到发布版本 System.IdentityModel.Tokens.Jwt 只需要多做一点工作.见下文.
Note that the original answer below was for the Beta version, Microsoft.IdentityModel.Tokens.JWT. Upgrading to the release version, System.IdentityModel.Tokens.Jwt, required just a little more work. See below.
原来的主要问题是 JWTSecurityTokenHandler.ValidateToken(token)
方法没有完全填充它传递给 JWTSecurityTokenHandler.ValidateToken(令牌,验证参数)
.特别是,它不会填充 SigningToken
成员或 ValidIssuers
(或 ValidIssuer
).
The primary problem turns out to be that the method JWTSecurityTokenHandler.ValidateToken(token)
does not fully populate the TokenValidationParameters
that it passes to JWTSecurityTokenHandler.ValidateToken(token, validationParameters)
. In particular, it doesn't populate the SigningToken
member or the ValidIssuers
(or ValidIssuer
).
有趣的是,我在原始问题中显示的配置实际上是由令牌解析器加载的,并且在运行时可用,如下面的代码所示.
Interestingly, the configuration I showed in my original question actually is loaded by the token resolver, and is available at runtime, as you can see in the code below.
不过,我不知道如何在配置文件中指定有效的颁发者字符串.我强烈怀疑有一个地方可以放置这些信息,但我还没有弄清楚它属于哪里.
I don't know how to specify the valid issuer string in the configuration file, though. I strongly suspect that there's a place to put that info, but I haven't yet figured out where it belongs.
我的问题的解决方案是创建一个从 JWTSecurityTokenHandler
派生的自定义安全令牌处理程序.重写 ValidateToken(token, validationParameters)
让我有机会设置我需要的那些参数,然后调用基类的 ValidateToken
方法.
The solution to my problem is to create a custom security token handler that derives from JWTSecurityTokenHandler
. Overriding ValidateToken(token, validationParameters)
gives me the opportunity to set those parameters that I need, and then call the base class's ValidateToken
method.
public class CustomJwtSecurityTokenHandler: JWTSecurityTokenHandler
{
// Override ValidateSignature so that it gets the SigningToken from the configuration if it doesn't exist in
// the validationParameters object.
private const string KeyName = "https://localhost/TestRelyingParty";
private const string ValidIssuerString = "https://mySTSname/trust";
public override ClaimsPrincipal ValidateToken(JWTSecurityToken jwt, TokenValidationParameters validationParameters)
{
// set up valid issuers
if ((validationParameters.ValidIssuer == null) &&
(validationParameters.ValidIssuers == null || !validationParameters.ValidIssuers.Any()))
{
validationParameters.ValidIssuers = new List<string> {ValidIssuerString};
}
// and signing token.
if (validationParameters.SigningToken == null)
{
var resolver = (NamedKeyIssuerTokenResolver)this.Configuration.IssuerTokenResolver;
if (resolver.SecurityKeys != null)
{
List<SecurityKey> skeys;
if (resolver.SecurityKeys.TryGetValue(KeyName, out skeys))
{
var tok = new NamedKeySecurityToken(KeyName, skeys);
validationParameters.SigningToken = tok;
}
}
}
return base.ValidateToken(jwt, validationParameters);
}
}
在我的 Web.config 中,我只需要更改安全令牌处理程序:
In my Web.config, I just had to change the security token handler:
<securityTokenHandlers>
<!--<add type="Microsoft.IdentityModel.Tokens.JWT.JWTSecurityTokenHandler,Microsoft.IdentityModel.Tokens.JWT" />-->
<!-- replaces the default JWTSecurityTokenHandler -->
<add type="TestRelyingParty.CustomJwtSecurityTokenHandler,TestRelyingParty" />
没有什么比花三四天时间研究一个用几十行代码解决的问题更合适的了...
Nothing like spending three or four days researching a problem that is solved with a couple dozen lines of code . . .
2013 年 6 月,微软正式发布了他们的 JWT.他们将命名空间更改为 System.IdentityModel.Tokens.Jwt.升级到那个之后,上面的解决方案停止工作.为了让它工作,我必须将以下内容添加到我的 CustomJwtSecurityTokenHandler
中.这是对现有代码的补充.
In June of 2013, Microsoft officially released their JWT. They changed the namespace to System.IdentityModel.Tokens.Jwt. After upgrading to that, the solution above stopped working. To get it working, I had to add the following to my CustomJwtSecurityTokenHandler
. That's in addition to the existing code.
public override ClaimsPrincipal ValidateToken(JwtSecurityToken jwt)
{
var vparms = new TokenValidationParameters
{
AllowedAudiences = Configuration.AudienceRestriction.AllowedAudienceUris.Select(s => s.ToString())
};
return ValidateToken(jwt, vparms);
}
这篇关于如何使用对称密钥配置 Microsoft JWT?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!