Service Fabric无状态服务是否支持基于声明的授权?
让我们说我有一个web api,在标题中收到一个JWT。我是否可以将JWT或声明传递给Service Fabric无状态服务,以便在执行敏感操作之前对其进行检查?
我可以看到我们可以使用ClaimsCredentials将声明传递给服务:
var serviceProxyFactory = new ServiceProxyFactory(
(callbackClient) => new FabricTransportServiceRemotingClientFactory(
new FabricTransportSettings
{
SecurityCredentials = new ClaimsCredentials
{
LocalClaims = "[JWT HERE? or just Claims JSON?]"
}
}));
IMyService service = serviceProxyFactory.CreateServiceProxy<IMyService>(new Uri("fabric:/MyThing/MyService"));
https://msdn.microsoft.com/en-us/library/azure/system.fabric.claimscredentials.localclaims.aspx表示LocalClaims是&#34;从STS(安全令牌服务)获取的声明令牌的字符串表示。&#34;
此外:
ClaimsCredentials实际上是base64编码的JWT,还是声明键的JSON有效负载:值属性?
在无状态服务中是否需要进行任何特定配置或代码?
您如何获得无国籍服务的声明?
目前,当我调用该服务时,无论我将LocalClaims设置为什么值,我都会收到以下错误:
System.Fabric.FabricCannotConnectException: Error in Connection during ServiceCommunication
---> System.Runtime.InteropServices.COMException: Exception from HRESULT: 0x80071C4C\r\n
at Microsoft.ServiceFabric.Services.Communication.FabricTransport.Common.NativeServiceCommunication.IFabricServiceCommunicationClient2.EndRequest(IFabricAsyncOperationContext context)\r\n
at Microsoft.ServiceFabric.Services.Communication.FabricTransport.Client.NativeServiceCommunicationClient.EndRequest(IFabricAsyncOperationContext context)\r\n at System.Fabric.Interop.AsyncCallOutAdapter2`1.Finish(IFabricAsyncOperationContext context, Boolean expectedCompletedSynchronously)\r\n --- End of inner exception stack trace ---\r\n
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n
at Microsoft.ServiceFabric.Services.Communication.FabricTransport.Client.NativeServiceCommunicationClient.<RequestResponseAsync>d__8.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Microsoft.ServiceFabric.Services.Communication.Client.ServicePartitionClient`1.<InvokeWithRetryAsync>d__7`1.MoveNext()
谢谢!
答案 0 :(得分:2)
我认为ClaimsCredentials类不打算携带JWT令牌,而是基于某些证书由Service Fabric本身生成的安全令牌。如果您检查类ClaimsCredentials,您会发现它与包含声明信息的本机类密切相关。深入挖掘它会发现一个用于传递信息的结构:
[StructLayout(LayoutKind.Sequential, Pack = 8)]
internal struct FABRIC_CLAIMS_CREDENTIALS
{
public uint ServerCommonNameCount;
public IntPtr ServerCommonNames;
public uint IssuerThumbprintCount;
public IntPtr IssuerThumbprints;
public IntPtr LocalClaims;
public NativeTypes.FABRIC_PROTECTION_LEVEL ProtectionLevel;
public IntPtr Reserved;
}
[StructLayout(LayoutKind.Sequential, Pack = 8)]
internal struct FABRIC_CLAIMS_CREDENTIALS_EX1
{
public uint ServerThumbprintCount;
public IntPtr ServerThumbprints;
public IntPtr Reserved;
}
有很多关于这个类的内部尖叫,没有任何表明与JWT有任何关系或理解的内容。
如果您想在HTTP端点中添加某种形式的安全性,那么您应该能够使用System.IdentityModel.Tokens.JwtSecurityTokenHandler,看一下这个SO答案就可以开始使用Decoding and verifying JWT token using System.IdentityModel.Tokens.Jwt。
如果要将基于JWT的安全性添加到Fabric传输端点,则可能需要使用ServiceRemotingMessageHeaders在客户端中将JWT添加为自定义标头,然后在侦听器上解析并验证该标头。使用提供的和记录的安全模型进行使用X509证书进行服务远程处理可能是更好的选择。