将Owin从3.0.0更新到3.0.1后，旧令牌停止工作 [英] Old tokens stopped working after updating Owin from 3.0.0 to 3.0.1

问题描述

我在WebApi项目中将Owin nuget软件包的版本从3.0.0更新到了3.0.1，但是更新后，旧版本生成的所有用户令牌都已保存并保存在客户端，因此不再使用新的部署.

I updated the Owin nuget packages from 3.0.0 to 3.0.1 in my WebApi projects, but after the update all the user tokens that were generated by old version, and saved on the client side stopped working with new deployment.

是否有办法使旧用户令牌与新版本一起使用，否则所有用户将需要再次登录系统以获取新的访问令牌，我想避免这种情况.

Is there a way to keep the old user tokens working with new version, as otherwise all the users will need to log into the system again to get new access token, which I want to avoid.

推荐答案

3.0.0和3.0.1之间的不兼容性是由于Microsoft.Owin.Security.DataHandler.Serializer.TokenSerializer类的3.0.0版本中的错误所致.此类具有私有常量FormatVersion，它指示令牌格式的版本.在TokenSerializer.Read()中检查了此值，并且所有不具有匹配格式版本的令牌都将被拒绝.

The incompatibility between 3.0.0 and 3.0.1 is due to a bug in the 3.0.0 version of the Microsoft.Owin.Security.DataHandler.Serializer.TokenSerializer class. This class has a private constant, FormatVersion, which indicates the version of the format of the token. The value of this is checked in TokenSerializer.Read(), and any token that doesn’t have a matching format version is rejected.

在该框架的2.x版本中，FormatVersion的值为2.该框架发行的令牌的格式在2.x和3.0.0版本之间进行了更改，但是Microsoft似乎忘记了更新该值. FormatVersion.他们最终在3.0.1中对其进行了更新，但当然会导致3.0.0中发行的令牌在3.0.1中被拒绝，因为FormatVersion不再匹配.

In version 2.x of the framework the value of FormatVersion is 2. The format of tokens issued by the framework changed between version 2.x and 3.0.0, but it appears that Microsoft forgot to update the value of FormatVersion. They finally updated it in 3.0.1, but of course that results in tokens issued in 3.0.0 being rejected in 3.0.1, as FormatVersion no longer matches.

您可以在 https:/上看到有关2.x和3.0.0之间格式更改的讨论. /katanaproject.codeplex.com/workitem/347 ，您可以在好消息是，3.0.0和3.0.1之间在安全性实现上似乎没有任何其他主要区别，而且看来还有一种方法可以使所有这些再次发挥作用. Katana项目是开源的，因此您可以构建自己的3.0.1版本，该版本可以解决该错误.您要进行的更改是在TokenSerializer.Read()中，以便令牌的版本为2或3.

The good news is that there doesn’t seem to be any other major difference in the security implementation between 3.0.0 and 3.0.1, and it appears there is a way to get this all working again. The Katana project is open source, and so you can build your own version of 3.0.1 which works around the bug. The change you’ll want to make is in TokenSerializer.Read(), so that tokens are accepted if their version is 2 or 3.

这使得棘手的一点是Microsoft.Owin软件包是严格命名的，因此引用它们的任何内容也都需要更新以显式引用您的自定义版本.因此，您实际上只想要自定义版本的Microsoft.Owin.*库，这些库会直接受到对TokenSerializer所做更改的影响，否则您将给自己带来许多不必要的工作.就我而言，我发现我真正关心的库是Microsoft.Owin.Security，Microsoft.Owin.Security.OAuth和Microsoft.Owin.Security.Jwt.特别是，您将要避免自定义构建Microsoft.Owin，因为其他库都依赖于此.

What makes this a bit trickier is that the Microsoft.Owin packages are strongly named, and so anything referencing them will also need to be updated to explicitly reference your custom builds. So, you really only want custom builds of the Microsoft.Owin.* libraries that are directly affected by your change to TokenSerializer, or else you’ll give yourself lots of unnecessary work. In my case, I found that the libraries I really cared about were Microsoft.Owin.Security, Microsoft.Owin.Security.OAuth and Microsoft.Owin.Security.Jwt. In particular, you'll want to avoid a custom build of Microsoft.Owin as other libraries are dependent on that.

就我而言，我发现我可以通过Katana解决方案中的以下更改来完成所有工作(我的分叉位于

In my case, I found that I could get this all working with the following changes in the Katana solution (my fork is at https://katanaproject.codeplex.com/SourceControl/network/forks/binarymash/katanaproject?branch=FixCompatabilityWith3.0.0):

1. 从解决方案中卸载Microsoft.Owin项目
2. 对于每个引用Microsoft.Owin的项目，请对其进行修改，以从Nuget中提取Microsoft.Owin的官方3.0.1版本
3. 构建解决方案.
4. 获取Microsoft.Owin.Security，Microsoft.Owin.Security.OAuth和Microsoft.Owin.Security.Jwt的自定义dll，并在我自己的项目(以及我在自己的项目中使用的也具有这些依赖项的任何其他库，例如IdentityServer3.AccessTokenValidation)中使用它们替换官方的3.0.1软件包.

1. Unload the Microsoft.Owin project from the solution
2. For every project that referenced Microsoft.Owin, modify it to pull the official 3.0.1 build of Microsoft.Owin from Nuget
3. Build the solution.
4. Take the customised dlls for Microsoft.Owin.Security, Microsoft.Owin.Security.OAuth and Microsoft.Owin.Security.Jwt and use them in my own projects (and any other libraries I use in my own projects that also have these dependencies, for example IdentityServer3.AccessTokenValidation) to replace the official 3.0.1 packages.

因此，现在可以使用我的自定义3.0.1构建在代码中对我在3.0.0中发行的令牌进行身份验证.我不想将自定义版本永久保留在我的代码中.我计划将令牌发行者的版本从3.0.0更新到3.0.1，届时我还将恢复到官方的3.0.1版本.

So, tokens I issued in 3.0.0 can now be authenticated in code using my custom 3.0.1 build. I don't want to keep my custom builds in my code permanently; I plan to update the token issuer from 3.0.0 to 3.0.1, at which point I will also revert back to the official 3.0.1 builds.

您的里程可能会有所不同，对于此解决方案的价值或您使用它可能发生的任何事情，我不承担任何责任；)

Your mileage may vary, and I don't accept any responsibility for the worthiness of this solution or anything that might happen if you use it ;)

这篇关于将Owin从3.0.0更新到3.0.1后，旧令牌停止工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！