微软Owin

微软Owin

关注
发信
关注(28)粉丝(399)

微软Owin UseJwt

本文介绍了微软Owin UseJwt的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

限时删除!!

我使用的方法UseJwtBearerAuthentication有困难的时候,我使用微软的Azure ACS获得令牌(使用服务标识)。智威汤逊令牌返回细到我的测试程序。在测试程序中的令牌被发送到MVC的WebAPI 2.(当从天青活动目录获得令牌的WAAD认证正常工作)

I am having a difficult time using UseJwtBearerAuthentication Method, I am using Microsoft Azure ACS to obtain a token (using a service identity). The JWT token returns fine to my test program. In the test program the token is sent to a MVC WebAPI 2. (The WAAD authentication works fine when token is obtained from Azure Active Directory)

public partial class Startup
{
    private const string Issuer = "https://bluebeam-us-east.accesscontrol.windows.net/";
    public void ConfigureAuth(IAppBuilder app)
    {
        string CertificateThumbprint = "99B25E3E31FCD24F669C260A743FBD508D21FE30";
        var audience = ConfigurationManager.AppSettings["ida:Audience"];
        app.UseErrorPage(new ErrorPageOptions()
                {
                    ShowEnvironment = true,
                    ShowCookies = false,
         ShowSourceCode = true,
                    });



        app.UseWindowsAzureActiveDirectoryBearerAuthentication(
            new WindowsAzureActiveDirectoryBearerAuthenticationOptions
            {
                Audience =  audience ,
                Tenant = ConfigurationManager.AppSettings["ida:Tenant"]
            });
        app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
        {
            AllowedAudiences = new[] { audience },
            IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
            {
                new X509CertificateSecurityTokenProvider(Issuer, X509CertificateHelper.FindByThumbprint(StoreName.My,StoreLocation.LocalMachine,CertificateThumbprint).First())
            },
        });
    }

在code从ACS获取令牌如下:

The Code to get Token from ACS is as follows:

private async void GetJwtToken()
{
    try
    {
        using (var client = new HttpClient())
        {
            client.BaseAddress = new Uri(IdP.Authority);
            var content = new FormUrlEncodedContent(new Dictionary<String, String>
            {
                {"grant_type","client_credentials"},
                {"client_id", IdP.UserName},
                {"client_secret", IdP.Password},
                {"scope", IdP.Resource}
            });
            var response = await client.PostAsync("v2/OAuth2-13", content);
            response.EnsureSuccessStatusCode();
            var jwtdata = await response.Content.ReadAsStringAsync();
            var jwt = JsonConvert.DeserializeObject<Token>(jwtdata);
            AccessToken = jwt.access_token;
            TokenType = jwt.token_type;
            long expire;
            if (long.TryParse(jwt.expires_in, out expire))
            {
                ExpiresOn = DateTimeOffset.UtcNow.AddSeconds(expire);
            }
            Authorization = AccessToken;
        }
    }
    catch (HttpRequestException re)
    {
        Response = re.Message;
    }
}

在code请求资源(的WebAPI):

The code to request a Resource (WebAPI):

private async void WebApiRequestCall()
    {
        try
        {
            ConfigureSsl();
            using (var client = new HttpClient())
            {
                client.BaseAddress = _baseAddress;
                client.DefaultRequestHeaders.Accept.Clear();
                client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
                if (!String.IsNullOrWhiteSpace(Authorization))
                    client.DefaultRequestHeaders.Add("Authorization", Authorization);
                var response = await client.GetAsync(WebApiRequest);
                response.EnsureSuccessStatusCode();
                Response = await response.Content.ReadAsStringAsync();
            }
        }
        catch (HttpRequestException e)
        {
            Response = e.Message;
        }
    }

令牌(使用谷歌的令牌去codeR如下所示)的去codeD

The decoded Token (using google token decoder looks as follows)

Header
{
    "x5t": "mbJePjH80k9mnCYKdD-9UI0h_jA",
    "alg": "RS256",
    "typ": "JWT"
}
Claims
{
    "identityprovider": "https://bluebeam-us-east.accesscontrol.windows.net/",
    "iss": "https://bluebeam-us-east.accesscontrol.windows.net/",
    "http://schemas.microsoft.com/identity/claims/identityprovider": "revu",
    "exp": 1406957036,
    "nbf": 1406956676,
    "aud": "https://bluebeam.com/Bluebeam.Licensing.WebApi/"
}

所以,我有以下问题:

So I have the following questions:

1)使用JwtBearerToken正确的方法使用脱code德code来自ACS智威汤逊令牌
2)是否有任何Owin跟踪设施,可提供最新的认证管道回事?

1) Is using JwtBearerToken the correct method to use to decode decode JWT token from ACS2) Is there any tracing facilities in Owin that can provide whats going on in the authentication pipeline?

我使用微软自带的3.0-RC1。

I am using Microsoft Own 3.0-rc1.

推荐答案

看来,我在code,我发送客户端请求的WebAPI时,没有设置正确的承载头为OWIN有一个错误。

It seems that I had an error in my code where I was not setting the correct "bearer header" for OWIN when sending the client request to WebAPI.

从ACS接收的JWT令牌后,我需要正确设置授权

After Receiving the JWT Token from ACS, I needed to set the Authorization correctly

private async void GetJwtToken()
    {
        try
        {
            using (var client = new HttpClient())
            {
                client.BaseAddress = new Uri(IdP.Authority);
                var content = new FormUrlEncodedContent(new Dictionary<String, String>
                {
                    {"grant_type","client_credentials"},
                    {"client_id", IdP.UserName},
                    {"client_secret", IdP.Password},
                    {"scope", IdP.Resource}
                });
                var response = await client.PostAsync("v2/OAuth2-13", content);
                response.EnsureSuccessStatusCode();
                var jwtdata = await response.Content.ReadAsStringAsync();
                var jwt = JsonConvert.DeserializeObject<Token>(jwtdata);
                IdP.AccessToken = jwt.access_token;
                IdP.TokenType = jwt.token_type;
                long expire;
                if (long.TryParse(jwt.expires_in, out expire))
                {
                    IdP.ExpiresOn = DateTimeOffset.UtcNow.AddSeconds(expire);
                }
                // Ensure that Correct Authorization Header for Owin
                Authorization = String.Format("{0} {1}", "Bearer", IdP.AccessToken);**
            }
        }
        catch (HttpRequestException re)
        {
            Response = re.Message;
        }
    }

我们还需要有关的WebAPI对称密钥,基于支持ACS如何发送令牌

We also need support for symmetric key on the WebAPI, based upon how ACS sends the token

public void ConfigureAuth(IAppBuilder app)
    {
        var thumbPrint = ConfigurationManager.AppSettings["ida:Thumbprint"];
        var audience = ConfigurationManager.AppSettings["ida:Audience"];
        var trustedTokenPolicyKey = ConfigurationManager.AppSettings["ida:SymmetricKey"];

        app.UseErrorPage(new ErrorPageOptions()
                {
                    ShowEnvironment = true,
                    ShowCookies = false,
                    ShowSourceCode = true,
                });

        app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions()
        {
            AllowedAudiences = new[] {audience},
            IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
            {
                new X509CertificateSecurityTokenProvider(Issuer,
                    X509CertificateHelper.FindByThumbprint(StoreName.My, StoreLocation.LocalMachine, thumbPrint)
                        .First()),
                new SymmetricKeyIssuerSecurityTokenProvider(Issuer, trustedTokenPolicyKey),
            },
        });
        app.UseWindowsAzureActiveDirectoryBearerAuthentication(
            new WindowsAzureActiveDirectoryBearerAuthenticationOptions
            {
                Audience = audience,
                Tenant = ConfigurationManager.AppSettings["ida:Tenant"]
            });
    }

这篇关于微软Owin UseJwt的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

1403页,肝出来的..

09-06 15:42
Powered by LMLPHP ©2024 微软Owin 0.038716