Web api中的Json Web令牌在到期后未验证刷新令牌

时间:2015-04-16 11:40:42

标签: asp.net-web-api oauth-2.0 owin access-token jwt

我正在使用OAuth 2对WEB API进行JWT身份验证。我正在使用刷新令牌机制。我可以在到期时间之前生成刷新令牌并从中调用API服务。令牌过期后,我正在调用服务以使用刷新令牌ID发出新令牌。但它在我的CustomJWTFormat类UnProtect方法中给出错误,因为它没有实现任何逻辑。我没有得到重新发布JWT刷新令牌的实现逻辑。

用于配置serviec以使用JSON Web令牌格式的示例代码:

OAuthAuthorizationServerOptions OAuthServerOptions = new   OAuthAuthorizationServerOptions()
        {
            AllowInsecureHttp = true,
            TokenEndpointPath = new PathString("/token"),
            AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(5),
            Provider = new SimpleAuthorizationServerProvider(),
            RefreshTokenProvider = new SimpleRefreshTokenProvider(),
            AccessTokenFormat = new CustomJwtFormat(<issuer>),
            RefreshTokenFormat = new CustomJwtFormat(<issuer>)
        };

我的CustomJWTFormat类的示例代码:

public class CustomJwtFormat : ISecureDataFormat<AuthenticationTicket>
{

    private const string AudiencePropertyKey = "as:client_id";
    private readonly string _issuer = string.Empty;
    private string symmetricKeyAsBase64 = string.Empty;

    public CustomJwtFormat(string issuer)
    {
        _issuer = issuer;
    }

    public string Protect(AuthenticationTicket data)
    {
        if (data == null)
        {
            throw new ArgumentNullException("data");
        }
        string audienceId = data.Properties.Dictionary.ContainsKey(AudiencePropertyKey) ? data.Properties.Dictionary[AudiencePropertyKey] : null;
        if (string.IsNullOrWhiteSpace(audienceId))
        {
            audienceId = <audience>;
            symmetricKeyAsBase64 = <secret key>;
        }
        else
        {
            using (AuthRepository _repo = new AuthRepository())
            {
                var audience = _repo.FindClient(audienceId);
                symmetricKeyAsBase64 = audience.Secret;
            }
        }
        var keyByteArray = TextEncodings.Base64Url.Decode(symmetricKeyAsBase64);
        var signingKey = new HmacSigningCredentials(keyByteArray);
        var issued = data.Properties.IssuedUtc;
        var expires = data.Properties.ExpiresUtc;
        var token = new JwtSecurityToken(_issuer, audienceId, data.Identity.Claims, issued.Value.UtcDateTime, expires.Value.UtcDateTime, signingKey);
        var handler = new JwtSecurityTokenHandler();
        var jwt = handler.WriteToken(token);
        return jwt;
    }

    ///Need logic for this method. Its calling when service is called to generated new token for refresh id
    public AuthenticationTicket Unprotect(string protectedText)
    {
        throw NotImplementedException();
    }

}

}

任何帮助将不胜感激。

1 个答案:

答案 0 :(得分:0)

请查看此示例,以便了解验证令牌。

https://github.com/AzureADSamples/WebAPI-ManuallyValidateJwt-DotNet/blob/master/TodoListService-ManualJwt

特别是Global.asax.cs。

相关问题
最新问题