我正在使用Azure广告并设置了我的Startup.Auth.cs文件,如下所示
我能够连接并使用Azure,Google,MS和Linked in来成功进行身份验证,然后我收到了id_token,但我希望能够验证我从Azure收到的这个令牌,但我不确定如何。引发SecurityTokenValidated事件是否意味着令牌已经针对我定义的TokenValidationParameters进行了验证,我不需要验证令牌?如果是这种情况,我应该在TokenValidationParameters?
我收到的id_token不包含要验证的加密签名
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
SlidingExpiration = true,
LoginPath = new PathString("/"),
CookieSecure = CookieSecureOption.Always,
});
var options = new OpenIdConnectAuthenticationOptions
{
Authority = "https://login.windows.net/common",
ClientId = clientId,
RedirectUri = redirectUri,
PostLogoutRedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = AuthenticationFailed,
RedirectToIdentityProvider = OnRedirectToIdentityProvider,
SecurityTokenReceived = OnSecurityTokenReceived,
AuthorizationCodeReceived = OnAuthorizationCodeReceived,
SecurityTokenValidated = OnSecurityTokenValidated,
MessageReceived = OnMessageReceived
},
Scope = "openid",
ResponseType = "id_token",
Description = new AuthenticationDescription
{
AuthenticationType = "OpenIdConnect",
},
ConfigurationManager = new PolicyConfigurationManager(
string.Format(CultureInfo.InvariantCulture, aadInstance, tenant, "/v2.0", OidcMetadataSuffix),
new[] { SisuGoogle, SisuLinkedIn, SisuMicrosoft, SisuLocal, ResetPasswordLocalPolicyId }),
TokenValidationParameters = new TokenValidationParameters
{
ValidAudiences = new string[]
{
"http://localhost:44330/",
},
IssuerSigningKey = GetSecurityKey(),
// If you don't add this, you get IDX10205
//ValidateIssuer = false,
},
};
app.UseOpenIdConnectAuthentication(options);
private SecurityKey GetSecurityKey()
{
var securityKey = "secure key";
var signingKey = new InMemorySymmetricSecurityKey(Encoding.UTF8.GetBytes(securityKey));
var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha256Signature,SecurityAlgorithms.Sha256Digest);
return signingCredentials.SigningKey;
}
private Task OnSecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> arg)
{
//do I need to validate the token here or has it already been validated??
//if I have to validate it then how do I? I've tried the following but does not work
var tokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKey = GetSecurityKey()
};
SecurityToken validatedToken;
var jwtHandler = new JwtSecurityTokenHandler();
//crashes at this point
jwtHandler.ValidateToken(arg.ProtocolMessage.IdToken, tokenValidationParameters, out validatedToken);
return Task.FromResult(0);
}
答案 0 :(得分:1)
如果您使用示例中的类似配置,那么OWIN将使用从元数据端点获取的密钥来处理令牌验证。
答案 1 :(得分:0)
有些迟了,但是各种事件的文档可以在这里找到:
OpenIdConnectAuthenticationNotifications
您可以与通知关联的事件是:
身份验证失败
在请求处理期间引发异常时调用。除非受到抑制,否则此事件发生后将重新抛出异常。
已收到授权码 如果协议消息中存在授权码,则在安全令牌验证之后调用。
已收到邮件
首次收到协议消息时调用。
RedirectToIdentityProvider
调用以操纵重定向到身份提供者的SignIn,SignOut或Challenge。
已收到SecurityToken 调用了从协议消息中提取的安全令牌。
SecurityTokenValidated
在安全令牌通过验证并已生成ClaimsIdentity后调用。
已收到TokenResponse 在令牌端点赎回“授权码”后调用。
使用其中一些更新的示例可以在这里找到:Azure AD B2C: Call an ASP.NET Web API from an ASP.NET Web App。
如Tutorial: Add sign-in to Microsoft to an ASP.NET web app的“高级选项”中所述,您可以通过多种方式进一步限制谁通过身份验证后就可以访问您的应用程序。