个人中心
gpt4 book ai didi

asp.net - OWIN - 签署和加密请求

转载 作者:行者123 更新时间:2023-12-04 13:05:00 25 4
gpt4 key购买 nike

在我们的 asp.net MVC5 网站中,我们针对多个 ADFS 服务器进行身份验证。我们签署(并最好加密)我们的请求的这些请求之一。

我们使用 OWIN 和 UseWsFederationAuthentication 扩展方法来设置每个 ADFS 服务器的选项(见下文)。

var adfsLoginProviderOptions = new WsFederationAuthenticationOptions
            {
                MetadataAddress = adfsLoginProvider.MetadataUrl,
                Wtrealm = AppSettings.FirstAgendaWtRealm,
                AuthenticationMode = AuthenticationMode.Passive,
                AuthenticationType = adfsLoginProvider.Name,
                CallbackPath = new PathString("/adfs/callback"),
                UseTokenLifetime = true
            };
app.UseWsFederationAuthentication(adfsLoginProviderOptions);

我的问题是,我没有看到设置请求签名和加密的明显选项,而且我似乎找不到其他任何人这样做了。

最佳答案

我做了一些研究,发现了以下内容。

我需要注册到 SecurityTokenHandlers:

  • 一种用于解密加密 token
  • 一种用于验证签名 token

    • 它们的注册方式如下: 
        var adfsLoginProviderOptions = new WsFederationAuthenticationOptions
                {
                    MetadataAddress = adfsLoginProvider.MetadataUrl,
                    Wtrealm = "http://[your-realm]",
                    AuthenticationMode = AuthenticationMode.Passive,
                    AuthenticationType = adfsLoginProvider.Name,
                    UseTokenLifetime = false,
                    CallbackPath = new PathString("/adfs/callback/" + adfsLoginProvider.ID.ToString()),
                    TokenValidationParameters = new TokenValidationParameters
                    {
                        AuthenticationType = adfsLoginProvider.Name
                    },
                    SecurityTokenHandlers = new SecurityTokenHandlerCollection
                    {
                        new EncryptedSecurityTokenHandler(new X509CertificateStoreTokenResolver(StoreName.My,StoreLocation.LocalMachine)),
                        new SamlSecurityTokenHandler
                        {
                            CertificateValidator = X509CertificateValidator.None,
                            Configuration = new SecurityTokenHandlerConfiguration()
                            {
                                AudienceRestriction = audienceRestriction,
                                IssuerNameRegistry = issuerRegistry
                            }
                        }
                    },


                };

    EncryptedSecurityTokenHandler 实现如下: 
            public class EncryptedSecurityTokenHandler : System.IdentityModel.Tokens.EncryptedSecurityTokenHandler, ISecurityTokenValidator
            {
                public EncryptedSecurityTokenHandler(SecurityTokenResolver securityTokenResolver)
                {
                    Configuration = new SecurityTokenHandlerConfiguration
                    {
                        ServiceTokenResolver = securityTokenResolver
                    };
                }

                public override bool CanReadToken(string securityToken)
                {
                    return base.CanReadToken(new XmlTextReader(new StringReader(securityToken)));
                }

                public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
                {
                    // Read token will decrypt it and look for another SecurityTokenHandler in the same collection to do the actual validation
                    validatedToken = ReadToken(new XmlTextReader(new StringReader(securityToken)), Configuration.ServiceTokenResolver);
                    if (ContainingCollection != null)
                    {
                        var identities = ContainingCollection.ValidateToken(validatedToken);
                        var principal = new ClaimsPrincipal(identities.First());
                        return principal;
                    }
                    return new ClaimsPrincipal(base.ValidateToken(validatedToken));
                }

                public int MaximumTokenSizeInBytes { get; set; }
            }

    和 SamlSecurityTokenHandler: 
    public class SamlSecurityTokenHandler : System.IdentityModel.Tokens.SamlSecurityTokenHandler, ISecurityTokenValidator
    {
        public override bool CanReadToken(string securityToken)
        {
            return base.CanReadToken(XmlReader.Create(new StringReader(securityToken)));
        }

        public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters,
            out SecurityToken validatedToken)
        {
            validatedToken = ReadToken(new XmlTextReader(new StringReader(securityToken)), Configuration.ServiceTokenResolver);
            var identities = ValidateToken(validatedToken);
            var newIdentities = identities.Select(d => new ClaimsIdentity(d.Claims, "ExternalCookie"));
            var claimsPrincipal = new ClaimsPrincipal(newIdentities);
            return claimsPrincipal; ;
        }

        public override ReadOnlyCollection<ClaimsIdentity> ValidateToken(SecurityToken token)
        {
            var identities = base.ValidateToken(token);
            return identities
        }

        public int MaximumTokenSizeInBytes { get; set; }
    }

    受众限制是应用程序的领域: 
    var audienceRestriction = new AudienceRestriction(AudienceUriMode.Always);
    audienceRestriction.AllowedAudienceUris.Add(new Uri(http://[your-realm]));

    IssuerRegistry 是颁发者签名证书的注册表: 
    var issuerRegistry = new ConfigurationBasedIssuerNameRegistry();
    issuerRegistry.AddTrustedIssuer(adfsLoginProvider.SigningCertThumbprint, adfsLoginProvider.Issuer);

    关于asp.net - OWIN - 签署和加密请求,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/34269548/

    25 4 0
    文章推荐: lua gsub %b <-- 这是如何工作的?
    文章推荐: 从导入的包中删除(或排除)一个函数
    文章推荐: input - Ii 如何在我的组件中获得 ionic 2 中的输入值?
    文章推荐: java - 如何在 Android 应用程序中指定和添加自定义打印机?
    行者123
    个人简介

    我是一名优秀的程序员,十分优秀!

    滴滴打车优惠券免费领取
    滴滴打车优惠券
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com