IDX10503:更新到Owin.Security v 4.0.0后，签名验证失败 [英] IDX10503: Signature validation failed after updating to Owin.Security v 4.0.0

问题描述

根据主题，我将Owin.Security.WsFederation和相关程序包更新为4.0版，并且出现错误.

As per subject, I updated the Owin.Security.WsFederation and dependent packages to version 4.0 and I get the error.

除了更改外，我没有进行任何代码更改

I did not make any code changes other than changing

using Microsoft.IdentityModel.Protocols; 

到

using Microsoft.IdentityModel.Protocols.WsFederation;

WsFederationConfiguration类现在在哪里.

这是我的 StartupAuth :

public void ConfigureAuth(IAppBuilder app)
        {
            app.UseCookieAuthentication(
                new CookieAuthenticationOptions
                {
                    AuthenticationType = CookieAuthenticationDefaults.AuthenticationType
                });

            // Create WsFed configuration from web.config wsfed: values
            var wsconfig = new WsFederationConfiguration()
            {
                Issuer = ConfigurationManager.AppSettings["wsfed:Issuer"],
                TokenEndpoint = ConfigurationManager.AppSettings["wsfed:TokenEndPoint"],                
            };

            /* 
             * Add x509 certificates to configuration
             * 
             */
            // certificate.1 must always exist
            byte[] x509Certificate;
            x509Certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.1"]);
            wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate)));
            // certificate 2 may exist
            if (ConfigurationManager.AppSettings["wsfed:certificate.2"] != null)
            {
                x509Certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.2"]);
                wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate)));
            }
            // certificate 3 may exist
            if (ConfigurationManager.AppSettings["wsfed:certificate.3"] != null)
            {
                x509Certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.3"]);
                wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate)));
            }

            // Apply configuration to wsfed Auth Options
            var wsoptions = new WsFederationAuthenticationOptions
            {
                SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
                Configuration = wsconfig,
                Wreply = ConfigurationManager.AppSettings["wsfed:Wreply"],
                Wtrealm = ConfigurationManager.AppSettings["wsfed:Wtrealm"],
            };
            wsoptions.TokenValidationParameters.NameClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn";

            // Add WdFederation middleware to Owin pipeline
            app.UseWsFederationAuthentication(wsoptions);
        }

还需要其他4.0来验证签名吗?我假设它是在谈论发行者的令牌签名.我没有看到如何启用ShowPII来查看它在寻找什么键.

Is there something else 4.0 needs to validate the signature? I assume it's talking about the signature of the token from the issuer. I didn't see how to enable ShowPII to see what key it's looking at.

我正在使用具有完整框架的MVC5.不是核心.

I am using MVC5 with the full framework. Not core.

更新:

我试图修改代码以使用身份提供者在属性文件中提供的元数据来创建WsFederationConfiguration，但仍然出现相同的错误.我不确定签名是什么，或者如果它不在idp元数据中，那么我从哪里得到它.

I tried to modify the code to use the metadata provided by the identity provider in a properties file to create the WsFederationConfiguration and I still get the same error. I'm not sure what the Signature is, or where I get it from if it's not in the idp metadata.

Update2 :

这是我为使用属性文件中sts提供的wsfed元数据所做的更改. (我已经删除了实际的base64编码的元数据，但是不用说，它是与从STS提取元数据并将其作为端点发布的STS中获取的XML相同的.如上所述，我得到了相同的错误:

Here are the changes I made to use the wsfed metadata provided by the sts in a properties file. (I have removed the actual base64 encoded metadata, but needless to say it is the same XML you get when you regest the metadata from an STS that publishes it as and endpoint. As I said above, I get the same error:

    public void ConfigureAuth(IAppBuilder app)
    {
        WsFederationConfiguration wsconfig;

        app.UseCookieAuthentication(
            new CookieAuthenticationOptions
            {
                AuthenticationType = CookieAuthenticationDefaults.AuthenticationType
            });

        var metaDataDocument = System.Text.Encoding.UTF8.GetString(
                Convert.FromBase64String("...c2NyaXB0b3I+"));

        using (var metaDataReader = XmlReader.Create(new StringReader(metaDataDocument), SafeSettings))
        {
            wsconfig = (new WsFederationMetadataSerializer()).ReadMetadata(metaDataReader);
        }

        // Apply configuration to wsfed Auth Options
        var wsoptions = new WsFederationAuthenticationOptions
        {
            SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
            Configuration = wsconfig,
            Wreply = ConfigurationManager.AppSettings["wsfed:Wreply"],
            Wtrealm = ConfigurationManager.AppSettings["wsfed:Wtrealm"],
        };
        wsoptions.TokenValidationParameters.NameClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn";

        // Add WdFederation middleware to Owin pipeline
        app.UseWsFederationAuthentication(wsoptions);
    }

推荐答案

我和MS团队的一些人一起工作.这里的问题是我们的STS使用SHA1对令牌进行签名，而新版本的weFederation不支持SHA1，因为它不安全且已弃用.

I worked with some folks on the team at MS. The issue here was that our STS is using SHA1 to sign the token and the new version of weFederation doesn't support SHA1 as it is not-secure and is deprecated.

这篇关于IDX10503:更新到Owin.Security v 4.0.0后，签名验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！