gpt4 book ai didi

oauth-2.0 - 在多个服务中使用 Oauth 票证?

转载 作者:行者123 更新时间:2023-12-02 19:26:07 25 4
gpt4 key购买 nike

我目前有一对基于 OWIN 的服务,每个服务都对同一组用户使用 OAuth 身份验证。我打算隔离授权服务器(即 token 端点)并以某种方式配置我的两个服务以接受此 token 。我认为这将涉及我所有服务的一些配置,以允许在所有相关服务中解密此 token 。这可能吗?

最佳答案

在原始帖子的评论中与布罗克艾伦交谈后,我不能真正保证这是一个好的/安全的解决方案,但这是我最终使用的代码。 (注意:此代码的一个版本可用作 a nuget package 。)

我创建了一个使用 AES 的 IDataProtector 实现:

internal class AesDataProtectorProvider : IDataProtector
{
// Fields
private byte[] key;

// Constructors
public AesDataProtectorProvider(string key)
{
using (var sha1 = new SHA256Managed())
{
this.key = sha1.ComputeHash(Encoding.UTF8.GetBytes(key));
}
}

// IDataProtector Methods
public byte[] Protect(byte[] data)
{
byte[] dataHash;
using (var sha = new SHA256Managed())
{
dataHash = sha.ComputeHash(data);
}

using (AesManaged aesAlg = new AesManaged())
{
aesAlg.Key = this.key;
aesAlg.GenerateIV();

using (var encryptor = aesAlg.CreateEncryptor(aesAlg.Key, aesAlg.IV))
using (var msEncrypt = new MemoryStream())
{
msEncrypt.Write(aesAlg.IV, 0, 16);

using (var csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
using (var bwEncrypt = new BinaryWriter(csEncrypt))
{
bwEncrypt.Write(dataHash);
bwEncrypt.Write(data.Length);
bwEncrypt.Write(data);
}
var protectedData = msEncrypt.ToArray();
return protectedData;
}
}
}

public byte[] Unprotect(byte[] protectedData)
{
using (AesManaged aesAlg = new AesManaged())
{
aesAlg.Key = this.key;

using (var msDecrypt = new MemoryStream(protectedData))
{
byte[] iv = new byte[16];
msDecrypt.Read(iv, 0, 16);

aesAlg.IV = iv;

using (var decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV))
using (var csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
using (var brDecrypt = new BinaryReader(csDecrypt))
{
var signature = brDecrypt.ReadBytes(32);
var len = brDecrypt.ReadInt32();
var data = brDecrypt.ReadBytes(len);

byte[] dataHash;
using (var sha = new SHA256Managed())
{
dataHash = sha.ComputeHash(data);
}

if (!dataHash.SequenceEqual(signature))
throw new SecurityException("Signature does not match the computed hash");

return data;
}
}
}
}
}

然后在 ISecureDataFormat 实现中使用它,如下所示:

public class SecureTokenFormatter : ISecureDataFormat<AuthenticationTicket>
{
// Fields
private TicketSerializer serializer;
private IDataProtector protector;
private ITextEncoder encoder;

// Constructors
public SecureTokenFormatter(string key)
{
this.serializer = new TicketSerializer();
this.protector = new AesDataProtectorProvider(key);
this.encoder = TextEncodings.Base64Url;
}

// ISecureDataFormat<AuthenticationTicket> Members
public string Protect(AuthenticationTicket ticket)
{
var ticketData = this.serializer.Serialize(ticket);
var protectedData = this.protector.Protect(ticketData);
var protectedString = this.encoder.Encode(protectedData);
return protectedString;
}

public AuthenticationTicket Unprotect(string text)
{
var protectedData = this.encoder.Decode(text);
var ticketData = this.protector.Unprotect(protectedData);
var ticket = this.serializer.Deserialize(ticketData);
return ticket;
}
}

然后,构造函数上的“key”参数可以在许多服务上设置为相同的值,并且它们都将能够解密(“取消保护”)并使用票证。

关于oauth-2.0 - 在多个服务中使用 Oauth 票证?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/21805755/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com