具有对称签名密钥的STS方案,用于依赖方

时间:2015-10-14 09:39:29

标签: wif thinktecture-ident-server thinktecture-ident-model

请帮助我理解以下情况:

Web应用程序正在从STS请求令牌。 STS是Thinktecture Identity server v2。 STS配置如下:

General Configuration

Only One Relying party

Webapplication和STS都通过安装所需的证书建立了信任关系。

Web应用程序使用WS-Trust协议使用以下代码请求令牌:

WSTrustChannelFactory factory = new WSTrustChannelFactory(new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
                                         string.Format(WS_TRUST_END_POINT, identityServer));

            string relyingParty = "urn:test:symmetric";
            factory.TrustVersion = TrustVersion.WSTrust13;
            factory.Credentials.UserName.UserName = username;
            factory.Credentials.UserName.Password = password;

            RequestSecurityToken rst = new RequestSecurityToken
            {
                RequestType = RequestTypes.Issue,
                KeyType = KeyTypes.Bearer,
                TokenType = TokenTypes.JsonWebToken,
                AppliesTo = new EndpointReference(relyingParty), 
            };

            GenericXmlSecurityToken xmlToken = factory.CreateChannel().Issue(rst) as GenericXmlSecurityToken;
            handlers = FederatedAuthentication.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers;
            SecurityTokenHandlerCollection jwtToken = handlers.ReadToken(new XmlTextReader(new StringReader(xmlToken.TokenXml.OuterXml))) as JwtSecurityToken;

var Identity = handlers.ValidateToken(jwtToken);

应用程序web.config如下所示:

<system.identityModel>
      <identityConfiguration saveBootstrapContext="true">
        <audienceUris>
          <add value="urn:test:symmetric"/>
        </audienceUris>
        <securityTokenHandlers>
          <add type="System.IdentityModel.Tokens.JwtSecurityTokenHandler, System.IdentityModel.Tokens.Jwt, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
          <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
          <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089">
            <sessionTokenRequirement lifetime="00:30:00"/>
          </add>
          <securityTokenHandlerConfiguration>
            <issuerTokenResolver type="System.IdentityModel.Tokens.NamedKeyIssuerTokenResolver, System.IdentityModel.Tokens.JWT">
              <securityKey symmetricKey="JDQLsrFL1VGBj5GZcAo0Xick4stoHyV5ah0B8RDBUoM=" name="TH_STS"/>

            </issuerTokenResolver>
            <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
              <!-- STS Authority Nodes 
        -->
              <authority name="TH_STS">
                <keys>
                  <add symmetricKey="JDQLsrFL1VGBj5GZcAo0Xick4stoHyV5ah0B8RDBUoM="/>
                </keys>
                <validIssuers>
                  <add name="TH_STS"/>
                </validIssuers>
              </authority>


            </issuerNameRegistry>
          </securityTokenHandlerConfiguration>
        </securityTokenHandlers>
      </identityConfiguration>
    </system.identityModel>

我阅读了WIF概念,但我仍然在努力理解这一流程。我理解以下是正确的:

  1. 令牌请求适用于https。
  2. 通过安装适当的证书,在令牌请求者(Web应用程序)和STS之间建立信任。
  3. Web应用程序通过包含用户名/密码,依赖方,keytype = bearer和tokentype = JSonwebtoken的详细信息,通过WS-Trust协议请求令牌。
  4. STS验证用户凭据并创建并发送JWT令牌。使用在STS中为所述依赖方配置的对称密钥对令牌进行签名。声明未加密。
  5. 收到令牌后,Web应用程序通过验证令牌来自同一个STS并使用相同的对称密钥解密令牌来验证令牌。
  6. 上述理解是否正确?我在这里遗漏了什么或者有什么不妥吗?

    另外问题是如何生成对称密钥?

0 个答案:

没有答案