ADFS-客户端凭据授予流-资源服务器未验证jwt

时间:2018-08-10 12:04:19

标签: adfs .net-framework-version

我已经在ADFS中创建了一个应用程序组,其中包含1个客户端和1个资源服务器。 我已经设法在客户端上实现了流程(我获得了访问令牌),但是当传递给资源服务器api时,它不会验证访问令牌。我想念什么?

我在资源服务器的startup.cs中的代码如下:

public partial class Startup
{
    public void Configuration(IAppBuilder app)
    {           
        app.UseCors(CorsOptions.AllowAll);
        ConfigureOAuth(app);

        // more code here
    }
    public void ConfigureOAuth(IAppBuilder app)
    {         

        var issuer = "http://adfserver/adfs/services/trust";
        var audience = "https://client";


        // Api controllers with an [Authorize] attribute will be validated with JWT

        app.UseJwtBearerAuthentication(
            new JwtBearerAuthenticationOptions
            {
                AuthenticationMode = AuthenticationMode.Active,
                AllowedAudiences = new[] { audience },
                TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = true,
                    ValidIssuer = issuer,
                    ValidateAudience = true,
                    ValidAudience = audience,
                    RequireSignedTokens = true,
                    ValidateIssuerSigningKey = true,
                    ValidateLifetime = true
                },

            });

    }

1 个答案:

答案 0 :(得分:0)

设法解决了这个问题。我必须从ADFS服务器获取登录密钥。下面是一个工作代码:

 public void ConfigureOAuth(IAppBuilder app) {   

     var issuer = $"http://{myAdfSserver}/adfs/services/trust";
     var audience = "audience";

     ConfigurationManager<OpenIdConnectConfiguration> configurationManager =  
     new ConfigurationManager<OpenIdConnectConfiguration>( 
     $"https://{myAdfSserver}/adfs/.well-known/openid-configuration", 
     new OpenIdConnectConfigurationRetriever());

     var openIdConfig = await configurationManager.GetConfigurationAsync();

     TokenValidationParameters validationParameters =new TokenValidationParameters
     {
         ValidateIssuer = true,
         ValidIssuer = issuer,
         ValidateAudience = true,
         ValidAudience = audience,
         RequireSignedTokens = true,
         ValidateIssuerSigningKey = true,
         IssuerSigningKeys = openIdConfig.SigningKeys,
         ValidateLifetime = true 
     };

    app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
    {
        AuthenticationMode = AuthenticationMode.Active,
        AllowedAudiences = new string[] { audience },
        TokenValidationParameters = validationParameters
    });
}

此外,请确保您的Web请求使用的是TLS12(默认情况下使用.net framework 4.6.1)。我已经在Startup.cs类中对此进行了设置。

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;