Question

我在服务器端应用程序中工作，我正在应用多租户。在这个服务器端，我有一个Backoffice（ ASP.NET MVC ）和一个BackEnd（ WCF ）。

我想解密Identity Cookie，以便我可以检查它是否有效并使用它在WCF服务中进行身份验证。

更具体一点我真的想知道ASP.NET Identity API是否提供了类似以下示例的任何类型的服务（如果我使用表单身份验证，它将起作用）

FormsAuthenticationTicket formsTicket = FormsAuthentication.Decrypt(tokenValue);

提前致谢。

Answer 1

经过大量研究后，我在博客中找到了一种方法。最终算法如下所示：

      private bool BackOfficeUserAuthorized(string ticket)
      {
        ticket = ticket.Replace('-', '+').Replace('_', '/');

        var padding = 3 - ((ticket.Length + 3) % 4);
        if (padding != 0)
            ticket = ticket + new string('=', padding);

        var bytes = Convert.FromBase64String(ticket);

        bytes = System.Web.Security.MachineKey.Unprotect(bytes,
            "Microsoft.Owin.Security.Cookies.CookieAuthenticationMiddleware",
                "ApplicationCookie", "v1");

        using (var memory = new MemoryStream(bytes))
        {
            using (var compression = new GZipStream(memory,
                                                CompressionMode.Decompress))
            {
                using (var reader = new BinaryReader(compression))
                {
                    reader.ReadInt32();
                    string authenticationType = reader.ReadString();
                    reader.ReadString();
                    reader.ReadString();

                    int count = reader.ReadInt32();

                    var claims = new Claim[count];
                    for (int index = 0; index != count; ++index)
                    {
                        string type = reader.ReadString();
                        type = type == "\0" ? ClaimTypes.Name : type;

                        string value = reader.ReadString();

                        string valueType = reader.ReadString();
                        valueType = valueType == "\0" ?
                                       "http://www.w3.org/2001/XMLSchema#string" :
                                         valueType;

                        string issuer = reader.ReadString();
                        issuer = issuer == "\0" ? "LOCAL AUTHORITY" : issuer;

                        string originalIssuer = reader.ReadString();
                        originalIssuer = originalIssuer == "\0" ?
                                                     issuer : originalIssuer;

                        claims[index] = new Claim(type, value,
                                               valueType, issuer, originalIssuer);
                    }

                    var identity = new ClaimsIdentity(claims, authenticationType,
                                                  ClaimTypes.Name, ClaimTypes.Role);

                    var principal = new ClaimsPrincipal(identity);

                    return principal.Identity.IsAuthenticated;
                }
            }
        }
    }

请注意委托人就像发送您刚刚调用的身份验证Cookie一样：

HttpContext.Current.User

如果您对该算法的工作原理感兴趣，可以找到它here

Answer 2

当您将ASP .NET应用程序配置为使用cookie身份验证时，您可以使用自己的TicketDataFormat（通常在Startup.Auth.cs中）提供自己的IDataProtector对象：

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login"),
    TicketDataFormat = new TicketDataFormat(...), // Use your own TicketDataFormat
    Provider = new CookieAuthenticationProvider
    {       
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromMinutes(30),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    }
});

如果您对这两个应用程序使用相同的TicketDataFormat，则可以获得AuthenticationTicket，如下所示：

AuthenticationTicket ticket = options.TicketDataFormat.Unprotect(cookie.Value);

ASP.NET Identity 2.0解密Owin cookie

2 个答案: