在c#中手动解码OAuth承载令牌

时间:2016-11-25 08:03:27

标签: c# asp.net-web-api oauth-2.0 owin bearer-token

在我的Web Api 2.2基于OWIN的应用程序中,我有一种情况,我手动需要解码承载令牌,但我不知道如何做到这一点。 这是我的startup.cs

public class Startup
{
    public static OAuthAuthorizationServerOptions OAuthServerOptions { get; private set; }
    public static UnityContainer IoC;
    public void Configuration(IAppBuilder app)
    {
        //Set Auth configuration
        ConfigureOAuth(app);

        ....and other stuff
    }

    public void ConfigureOAuth(IAppBuilder app)
    {
        OAuthServerOptions = new OAuthAuthorizationServerOptions()
        {
            AllowInsecureHttp = true,
            TokenEndpointPath = new PathString("/token"),
            AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
            Provider = new AuthProvider(IoC.Resolve<IUserService>(), IoC.Resolve<IAppSettings>())
        };

        // Token Generation
        app.UseOAuthAuthorizationServer(OAuthServerOptions);
        app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
    }
}

在我的控制器中我发送了承载令牌作为参数

[RoutePrefix("api/EP")]
public class EPController : MasterController
{
    [HttpGet]
    [AllowAnonymous]
    [Route("DC")]
    public async Task<HttpResponseMessage> GetDC(string token)
    {
        //Get the claim identity from the token here
        //Startup.OAuthServerOptions...

        //..and other stuff
    }
}

如何手动解码并从作为参数传递的令牌中获取声明?

注意:我知道我可以在标题中发送令牌并使用[Authorize]和(ClaimsIdentity)User.Identity等,但问题是如何在令牌时读取令牌没有出现在标题中。

3 个答案:

答案 0 :(得分:12)

将此放在此处可供将来访问的其他人使用。在https://long2know.com/2015/05/decrypting-owin-authentication-ticket/找到的解决方案更简单。

只需2行:

var secureDataFormat = new TicketDataFormat(new MachineKeyProtector());
AuthenticationTicket ticket = secureDataFormat.Unprotect(accessToken);



private class MachineKeyProtector : IDataProtector {
    private readonly string[] _purpose =
    {
        typeof(OAuthAuthorizationServerMiddleware).Namespace,
        "Access_Token",
        "v1"
    };

    public byte[] Protect(byte[] userData)
    {
        throw new NotImplementedException();
    }

    public byte[] Unprotect(byte[] protectedData)
    {
        return System.Web.Security.MachineKey.Unprotect(protectedData, _purpose);
    } }

答案 1 :(得分:6)

我创建了一个用于反序列化承载令牌的示例项目,该项目使用MachineKeyDataProtector进行加密。 您可以查看源代码。

Bearer-Token-Deserializer

答案 2 :(得分:0)

您可以使用System.IdentityModel.Tokens.Jwt包 - Python using enumerate inside list comprehension读取JWT并创建Principals和Identity对象。

这是一个快速示例,显示了阅读和验证令牌时可用的选项,

    private ClaimsIdentity GetIdentityFromToken(string token, X509Certificate2 certificate)
    {  
        var tokenDecoder = new JwtSecurityTokenHandler();         
        var jwtSecurityToken = (JwtSecurityToken)tokenDecoder.ReadToken(token);

        SecurityToken validatedToken;

        var principal = tokenDecoder.ValidateToken(
            jwtSecurityToken.RawData,
            new TokenValidationParameters()
                {
                    ValidateActor = false,
                    ValidateIssuer = false,
                    ValidateAudience = false,
                    ValidateLifetime = false,
                    ValidateIssuerSigningKey = false,
                    RequireExpirationTime = false,
                    RequireSignedTokens = false,
                    IssuerSigningToken = new X509SecurityToken(certificate)
                },
            out validatedToken);

        return principal.Identities.FirstOrDefault();
    }