我正在开始一项新任务,我必须从JWT处理指纹。我们使用JSON Web Token Handler用于Microsoft .Net Framework。已经有一个实现用于测试,生成JWT而不在头文件中提交x5t。它看起来像这样:
var handler = new JwtSecurityTokenHandler();
var securityKey = new InMemorySymmetricSecurityKey(Any.Array<byte>(1024));
var desc = new SecurityTokenDescriptor
{
TokenIssuerName = "MSI",
Lifetime = new Lifetime(null, DateTime.UtcNow.AddDays(10)),
SigningCredentials = new SigningCredentials(securityKey, "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256"),
};
var identity = new ClaimsIdentity();
identity.AddClaim(new Claim("scope", "msi_unsapi_presence.watch"));
identity.AddClaim(new Claim("scope", "msi_unsapi_location.watch"));
identity.AddClaim(new Claim("scope", "msi_unsapi_groupmgt.read"));
identity.AddClaim(new Claim("scope", "msi_unsapi_groupmgt.write"));
var jwtToken = handler.CreateToken(desc);
return jwtToken;
它产生的令牌:{"typ":"JWT","alg":"HS256"}.{"scope":["msi_unsapi_presence.watch","msi_unsapi_location.watch","msi_unsapi_groupmgt.read","msi_unsapi_groupmgt.write"]}我尝试将SecurityTokenDescriptor的AttachedReference属性设置为以下AttachedReference = new X509ThumbprintKeyIdentifierClause(Any.Array<byte>(1024)),以便在令牌中填充x5t字段(我不关心确切的值) ,我只需要它存在于令牌中以供测试目的)但是生成的令牌仍然没有设置此字段。如何生成标头中没有空x5t的令牌,最好修改现有代码?
答案 0 :(得分:2)
这里是customJsonWebTokenFormat的实现:
你可以使用payload.add()实际添加任何内容。
public class yourJsonWebTokenFormat: ISecureDataFormat<AuthenticationTicket>
{
public string Protect(AuthenticationTicket data)
{
DateTime notBefore = DateTime.UtcNow;
DateTime expires = notBefore + TimeSpan.FromHours(1); //validity timer.
SigningCredentials cred= new SigningCredentials(); // your signing credentials.
JwtHeader header = new JwtHeader(cred);
header.add("x5t","your value");
JwtPayload payload = newJwtPayload(ConfigurationManager.AppSettings["Issuer"],data.Properties.Dictionary["audience"], data.Identity.Claims, notBefore, expires);
payload.add("x5t","your x5t to json property");
var jwtToken = new JwtSecurityToken(header, payload);
var handler = new JwtSecurityTokenHandler();
var jwt = handler.WriteToken(jwtToken);
return jwt;
}
}
然后在你的OAuth配置中:
OAuthAuthorizationServerOptions OAuthServerOptions = new
OAuthAuthorizationServerOptions()
{
// provider configuration, token authentication expiracy, etc...
Provider = new SampleAuthorizationServerProvider()
AccessTokenFormat = new JsonWebTokenFormat()
};
请求令牌现在将调用yourJsonWebTokenFormat.protect()方法。
您应该在自己的OAuthAuthorizationServerProvider中的AuthenticationTicket中设置您在示例中构建的身份。
类似的东西:
public class SampleAuthorizationServerProvider : OAuthAuthorizationServerProvider, IOAuthAuthorizationServerProvider
{
public override Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
// do AD check or other stuff needed to validate the user here
var ticket = new AuthenticationTicket(identity, props); // props here is a AuthenticationProperties Dictionnary with other stuff that you want in your JwtToken
context.Validated(ticket);
}
public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
//do some check...
context.Validated();
}
}
所以你最终需要实现2个课程:ISecureDataFormat<AuthenticationTicket>
和
OAuthAuthorizationServerProvider, IOAuthAuthorizationServerProvider