将Azure AD Jwt令牌正确转换为ClaimsPrincipal

时间:2019-02-26 18:05:30

标签: c# asp.net-core jwt azure-active-directory iprincipal

我正试图将Azure Active Directory JWT令牌转换为ClaimsPrincipal对象,就像ASP.NET Core一样。

经过一番谷歌搜索,我发现了JwtSecurityTokenHandler(在System.IdentityModel.Tokens.Jwt中,并用它来解码字符串。

var token = "eyj0..."
var handler = new JwtSecurityTokenHandler();
var jsonToken = handler.ReadJwtToken(token);
var claims = jsonToken.Claims;

var principal = new ClaimsPrincipal(new ClaimsIdentity(claims, "aad"));

这确实转换了JWT令牌,但是经过进一步检查,我发现上面创建的ClaimsPrincipal对象和ASP.NET Core从同一令牌解析的ClaimsPrincipal对象产生了一些关键差异。

(该部分的重要部分)由ASP.NET创建的JSON序列化ClaimsPrincipal.Identity对象:

{
  "$id": "2",
  "AuthenticationType": "aad",
  "IsAuthenticated": true,
  "Actor": null,
  "BootstrapContext": null,
  "Claims": [
   ...
    {
      "$id": "13",
      "Issuer": "LOCAL AUTHORITY",
      "OriginalIssuer": "LOCAL AUTHORITY",
      "Properties": {

      },
      "Subject": {
        "$ref": "2"
      },
      "Type": "http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/emailaddress",
      "Value": "<MY EMAIL>",
      "ValueType": "http:\/\/www.w3.org\/2001\/XMLSchema#string"
    }
    ...
  ],
  "Label": null,
  "Name": "<MY EMAIL>",
  "NameClaimType": "http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/emailaddress",
  "RoleClaimType": "http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims\/role"
}

({的重要部分)由ClaimsPrincipal.Identity创建的JSON序列化JwtSecurityTokenHandler对象:

{
  "$id": "2",
  "AuthenticationType": "aad",
  "IsAuthenticated": true,
  "Actor": null,
  "BootstrapContext": null,
  "Claims": [
   ...
    {
      "$id": "13",
      "Issuer": "https:\/\/sts.windows.net\/<AN GUID>\/",
      "OriginalIssuer": "https:\/\/sts.windows.net\/<AN GUID>\/",
      "Properties": {

      },
      "Subject": {
        "$ref": "2"
      },
      "Type": "email",
      "Value": "<MY EMAIL>",
      "ValueType": "http:\/\/www.w3.org\/2001\/XMLSchema#string"
    }
   ...
  ],
  "Label": null,
  "Name": null,
  "NameClaimType": "http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/name",
  "RoleClaimType": "http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims\/role"
}

2个序列化对象有4个主要区别。

  1. 对于所有由Issuer解码的令牌,所有声明都具有LOCAL AUTHORITY的{​​{1}},其中ASP.NET给出JwtSecurityTokenHandler
  2. 某些声明的https:\/\/sts.windows.net\/<AN GUID>\/值是不同的。如您所见,包含用户电子邮件的声明中的TypeType所解码的令牌的email,ASP.NET给出JwtSecurityTokenHandler
  3. http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/emailaddress解码的NameClaimType对象的ClaimsPrincipal.IdentityJwtSecurityTokenHandler,其中ASP.net给出http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/name
  4. (可能是由于2和3的差异)http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/emailaddress解码的Name对象的ClaimsPrincipal.IdentityJwtSecurityTokenHandler

如何正确转换令牌,使生成的null对象与ASP.NET Core生成的对象相同?

0 个答案:

没有答案
相关问题
最新问题