我已经阅读过MSDN论坛,Dominic Baier的博客,以及其他来源,DPAPI将无法在Azure中开箱即用,并且在任何类型的Web场景中处理联合身份验证的一种方法是替换DPAPI使用跨服务器场可用的私钥进行转换,例如使用X509证书进行RSA加密。我在Azure MVC应用程序中采用了这种方法并配置了SessionSecurityTokenHandler,如下所示:
FederatedAuthentication.ServiceConfigurationCreated += (sender, args) =>
{
var sessionTransforms = new List<CookieTransform>(new CookieTransform[]
{
new DeflateCookieTransform(),
new RsaEncryptionCookieTransform(args.ServiceConfiguration.ServiceCertificate),
new RsaSignatureCookieTransform(args.ServiceConfiguration.ServiceCertificate)
});
var sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
args.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);
};
使用此配置,我们可以从身份提供商处接收令牌,并发出使用这些转换加密的安全Cookie。在Azure模拟器中运行,一切都按预期工作。但是,在Azure环境中,我们间歇性地在浏览器中看到以下错误:
Key not valid for use in specified state.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[CryptographicException: Key not valid for use in specified state.
]
System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +577
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded) +80
[InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ]
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded) +433
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +189
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +862
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +109
Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +356
Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +123
Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +61
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +270
这似乎表明SessionSecurityTokenHandler正在尝试使用DPAPI解密cookie,但为什么呢?我没有配置它使用上面的RSA吗?
答案 0 :(得分:14)
请注意,您现在可以使用MachineKeySessionSecurityTokenHandler在Web场中对会话令牌进行签名和加密。
要使用此功能,您需要删除默认SessionSecurityTokenHandler并在MachineKeySessionSecurityTokenHandler中添加Web.config:
<system.identityModel>
<identityConfiguration>
<securityTokenHandlers>
<remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</securityTokenHandlers>
</identityConfiguration>
</system.identityModel>
MachineKeySessionSecurityTokenHandler使用Web.config中配置的机器密钥,因此您还需要添加它:
<system.web>
<machineKey validationKey="..." decryptionKey="..." validation="SHA1" decryption="AES" />
</system.web>
答案 1 :(得分:5)
好吧,经过多次搜索,我发现了我的问题所在。在我设置ServiceConfigurationCreated之前,我正在进行一些导致访问FederatedAuthentication.ServiceConfiguration的配置。 According to MSDN,“当Web应用程序中的第一个HTTP模块引用ServiceConfiguration时引发ServiceConfigurationCreated事件”。我将事件处理程序设置移动到Application_Start的顶部,一切正常,这意味着事件 - 只触发一次 - 在我设置事件处理程序之前就被触发了。
希望这可以为我节省4个多小时的时间来实现这一目标。